[
https://issues.apache.org/jira/browse/AMQ-8562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré resolved AMQ-8562.
---------------------------------------
Assignee: Jean-Baptiste Onofré
Resolution: Duplicate
> Spring4shell vulnerability mitigation
> -------------------------------------
>
> Key: AMQ-8562
> URL: https://issues.apache.org/jira/browse/AMQ-8562
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.4
> Reporter: Shubhangi Raut
> Assignee: Jean-Baptiste Onofré
> Priority: Critical
> Labels: security
> Fix For: 5.17.1
>
>
> *Severity :* Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0
> *Weakness :* Sonatype CWE: 470
> *Source :* Sonatype Data Research
> *Explanation :* The spring-beans package is vulnerable to Remote Code
> Execution [RCE]. The constructor method in the CachedIntrospectionResults
> class allows the loading of arbitrary classes. A remote attacker can exploit
> this vulnerability to upload a malicious class and ultimately result in RCE.
> This issue is due to an insufficient fix for CVE-2010-1622.
> :We are still investigating other avenues of attack but out of an abundance
> of caution, and media attention, are releasing this advisory now.
> *Detection :* The application is vulnerable by using this component, if using
> Java version 9 or above.
> Mitigation: Upgrade spring version to latest available.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
