Release date for ActiveMQ v5.16.2 to fix CVEs

Tue, 27 Apr 2021 01:29:30 -0700 

Hello,
Our company is using ActiveMQ v5.16.1
We have scanned the software with a security scanner and it has found 
critical/high severity security issues in 3 packages used by ActiveMQ:
- log4j_log4j
- org.apache.shiro_shiro-core
- com.thoughtworks.xstream_xstream

Here is the list is CVEs found:
CVE ID                                                             Severity 
Packages                         Package Version CVSS Fix Status
https://nvd.nist.gov/vuln/detail/CVE-2019-17571 critical log4j_log4j            
                             1.2.17 9.8
https://nvd.nist.gov/vuln/detail/CVE-2020-17523 critical 
org.apache.shiro_shiro-core            1.7.0 9.8 fixed in 1.7.1
https://nvd.nist.gov/vuln/detail/CVE-2021-21342 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.1 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21344 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21345 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.9 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21346 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21347 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21350 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21351 critical 
com.thoughtworks.xstream_xstream 1.4.15 9.1 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21341 high  
com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21343 high  
com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21348 high  
com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16
https://nvd.nist.gov/vuln/detail/CVE-2021-21349 high  
com.thoughtworks.xstream_xstream 1.4.15 8.6 fixed in 1.4.16

I found the following JIRAs related to these:
Upgrade Shiro: https://issues.apache.org/jira/browse/AMQ-8159 - RESOLVED
Upgrade XStream: https://issues.apache.org/jira/browse/AMQ-8197 - RESOLVED
Upgrade Log4J: https://issues.apache.org/jira/browse/AMQ-7426 - OPEN

Please can you give me an ETA for when Apache ActiveMQ v5.16.2 will be released?

Best regards,
Simon.

Reply via email to