Bipin Chandra created AMQ-8107:
----------------------------------
Summary: Does ActiveMQ use the affected functionality within
Xstream libraries for CVE-2020-26217
Key: AMQ-8107
URL: https://issues.apache.org/jira/browse/AMQ-8107
Project: ActiveMQ
Issue Type: Bug
Affects Versions: 5.15.14
Environment: apache-activemq-5.16.0
Reporter: Bipin Chandra
Hi,
Please have a look at this vulnerability -
[https://nvd.nist.gov/vuln/detail/CVE-2020-26217]
This is reported on XStream before version 1.4.14.
I checked your latest release on 6th December - apache-activemq-5.16.0 still
have the vulnerable XStream jar.
i.e. xstream-1.4.11.1.jar.
We use ActiveMq in our product and it has been reported as a security
vulnerability.
- Can you confirm if ActiveMq is vulnerable to this CVE?
- If no, then can you confirm which ActiveMq version is safe to use?
- If yes, then we need an upgraded ActiveMq jar with this fix. Need to know the
expected timeline.
Need an urgent response, if possible.
Thanks and regards,
~Bipin Chandra
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
