[
https://issues.apache.org/jira/browse/AMQ-8107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bipin Chandra updated AMQ-8107:
-------------------------------
Description:
Hi,
Please have a look at this vulnerability -
[https://nvd.nist.gov/vuln/detail/CVE-2020-26217]
This is reported on XStream before version 1.4.14.
I checked your latest release - apache-activemq-5.16.0 still have the
vulnerable XStream jar.
i.e. xstream-1.4.11.1.jar.
We use ActiveMq in our product and it has been reported as a security
vulnerability.
- Can you confirm if ActiveMq is vulnerable to this CVE?
- If no, then can you confirm which ActiveMq version is safe to use?
- If yes, then we need an upgraded ActiveMq jar with this fix. Need to know
the expected timeline.
Need an urgent response, if possible.
Thanks and regards,
~Bipin Chandra
was:
Hi,
Please have a look at this vulnerability -
[https://nvd.nist.gov/vuln/detail/CVE-2020-26217]
This is reported on XStream before version 1.4.14.
I checked your latest release on 6th December - apache-activemq-5.16.0 still
have the vulnerable XStream jar.
i.e. xstream-1.4.11.1.jar.
We use ActiveMq in our product and it has been reported as a security
vulnerability.
- Can you confirm if ActiveMq is vulnerable to this CVE?
- If no, then can you confirm which ActiveMq version is safe to use?
- If yes, then we need an upgraded ActiveMq jar with this fix. Need to know the
expected timeline.
Need an urgent response, if possible.
Thanks and regards,
~Bipin Chandra
> Does ActiveMQ use the affected functionality within Xstream libraries for
> CVE-2020-26217
> ----------------------------------------------------------------------------------------
>
> Key: AMQ-8107
> URL: https://issues.apache.org/jira/browse/AMQ-8107
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.15.14
> Environment: apache-activemq-5.16.0
> Reporter: Bipin Chandra
> Priority: Critical
>
>
> Hi,
> Please have a look at this vulnerability -
> [https://nvd.nist.gov/vuln/detail/CVE-2020-26217]
>
>
> This is reported on XStream before version 1.4.14.
>
> I checked your latest release - apache-activemq-5.16.0 still have the
> vulnerable XStream jar.
> i.e. xstream-1.4.11.1.jar.
>
> We use ActiveMq in our product and it has been reported as a security
> vulnerability.
>
> - Can you confirm if ActiveMq is vulnerable to this CVE?
> - If no, then can you confirm which ActiveMq version is safe to use?
> - If yes, then we need an upgraded ActiveMq jar with this fix. Need to know
> the expected timeline.
>
> Need an urgent response, if possible.
>
> Thanks and regards,
> ~Bipin Chandra
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
