[
https://issues.apache.org/jira/browse/AMQ-8107?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré resolved AMQ-8107.
---------------------------------------
Assignee: Jean-Baptiste Onofré
Resolution: Duplicate
I already upgraded to xstream 1.4.14 in AMQ-8084. I will also upgrade to
xstream 1.4.15. It will be part of the next releases (5.17.0/5.16.1/5.15.17).
> Does ActiveMQ use the affected functionality within Xstream libraries for
> CVE-2020-26217
> ----------------------------------------------------------------------------------------
>
> Key: AMQ-8107
> URL: https://issues.apache.org/jira/browse/AMQ-8107
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.15.14
> Environment: apache-activemq-5.16.0
> Reporter: Bipin Chandra
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
>
>
> Hi,
> Please have a look at this vulnerability -
> [https://nvd.nist.gov/vuln/detail/CVE-2020-26217]
>
>
> This is reported on XStream before version 1.4.14.
>
> I checked your latest release - apache-activemq-5.16.0 still have the
> vulnerable XStream jar.
> i.e. xstream-1.4.11.1.jar.
>
> We use ActiveMq in our product and it has been reported as a security
> vulnerability.
>
> - Can you confirm if ActiveMq is vulnerable to this CVE?
> - If no, then can you confirm which ActiveMq version is safe to use?
> - If yes, then we need an upgraded ActiveMq jar with this fix. Need to know
> the expected timeline.
>
> Need an urgent response, if possible.
>
> Thanks and regards,
> ~Bipin Chandra
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
