Rico Neubauer created ARTEMIS-2938:
--------------------------------------
Summary: Update to latest Apache ActiveMQ Client to resolve CVEs
Key: ARTEMIS-2938
URL: https://issues.apache.org/jira/browse/ARTEMIS-2938
Project: ActiveMQ Artemis
Issue Type: Improvement
Components: OpenWire
Affects Versions: 2.15.0
Reporter: Rico Neubauer
Attachments:
ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch
Hi,
artemis-openwire-protocol embeds dependency org.apache.activemq:activemq-client.
Version is defined in main pom.xml and currently 5.14.5.
([Link|https://github.com/apache/activemq-artemis/blob/master/pom.xml#L87])
5.14.5 has the following vulnerabilities:
{noformat}
CVE-2018-11775 (BDSA-2018-3183): (7.4)
--------------------------------
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6
was missing which could make the client vulnerable to a MITM attack between a
Java application using the ActiveMQ client and the ActiveMQ server. This is now
enabled by default.
CVE-2019-0222 (BDSA-2019-0858): (7.5)
-------------------------------
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to
broker Out of Memory exception making it unresponsive.
{noformat}
I therefore kindly request to update the dependency to the latest version -
5.16.0 at time of writing.
Ran a full verification build with 5.16.0, which was perfectly fine.
Previous similar issue: ARTEMIS-118
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
