Justin, great catch on that one. I will look into this further.
Respectfully, Del Simmons Consultant [https://imageproxy.zdassets.com/f278a90c30fb481db71e629e726d493f9f3498ab?url=http%3A%2F%2Fzigabytepublic.s3.us-east-2.amazonaws.com%2FZigabyteEmail130x26.png]<https://urldefense.com/v3/__http://www.zigabyte.com/__;!!MsNKLpFGsw!d8VVFIzsLhgC9SM4EQq1jA77hUnZWVBLU9gTApv8Rd_choaYLWxwXaxCKinfYePD$> | Character | Competence | Community email: delbert.simm...@zigabyte.com cell: 803.269.9182 ________________________________ From: Justin Bertram <jbert...@apache.org> Sent: Monday, April 21, 2025 11:44 AM To: users@activemq.apache.org <users@activemq.apache.org> Subject: [EXTERNAL] Re: ActiveMQ 5.19.0 Security Vulnerabilities CAUTION: This email originated from outside of the organization. Verify the sender before clicking links, downloading attachments, or performing any requested tasks. > Critical: CVE-2016-1000027 — https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2016-1000027&data=05%7C02%7Cdelbert.simmons%40zigabyte.com%7C15ca57a3f3924a6146ba08dd80eb7bcb%7C5f2d630ecdea4cfda145e634cbd11dec%7C0%7C0%7C638808471099041489%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=LZvyZHaLHuJueVtUf7FsVajHEgjf%2BCXDWtC%2F%2BLNyGVI%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2016-1000027> The link indicates the CVE impacts "Spring Framework through 5.3.16." However, ActiveMQ Classic 5.19.0 ships with Spring 5.3.39. This seems like a false positive from your scanner. Justin On Mon, Apr 21, 2025 at 10:28 AM Simmons, Delbert < delbert.simm...@zigabyte.com> wrote: > Hi, > > I am new to the group. Hoping to get some information on two > vulnerabilities that were returned when running a Trivy scan on ActiveMQ > 5.19.0. I realize these would be resolved if we just upgraded to ActiveMQ > 6.1.6, but another piece of software on our system is not compatible with > Java 17. It looks like the newest supported version of ActiveMQ on the > java 11 is ActiveMQ 5.19.0. However, our security scan had two findings > that are areas of concern. Is 5.19.0 actually impacted by these findings? > If not, please give explanation as to why not. > > Additionally, are there plans to upgrade these components to the "fixed > version" as indicated in the screenshot below? : > > components of ActiveMQ 5.19.0: > > *spring-web 5.3.39.0* > Critical: CVE-2016-1000027 — > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2016-1000027&data=05%7C02%7Cdelbert.simmons%40zigabyte.com%7C15ca57a3f3924a6146ba08dd80eb7bcb%7C5f2d630ecdea4cfda145e634cbd11dec%7C0%7C0%7C638808471099067880%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=PJJaXn1ip5YWQEgq7ATXIci3oar%2BxJP8jWKq0IQjk0w%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2016-1000027> > > *camel-core2.25.4.0* > High: CVE-2020-11971 — > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-11971&data=05%7C02%7Cdelbert.simmons%40zigabyte.com%7C15ca57a3f3924a6146ba08dd80eb7bcb%7C5f2d630ecdea4cfda145e634cbd11dec%7C0%7C0%7C638808471099083362%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Tfmxi%2FDTB4IDo%2BurXHRiqNWnoKw%2FzZHy%2F%2BP95M12r1c%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2020-11971> > > > > > *Respectfully,* > > > > *Del Simmons * > > Consultant > > * > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2F%2Fwww.zigabyte.com%2F__%3B!!MsNKLpFGsw!d8VVFIzsLhgC9SM4EQq1jA77hUnZWVBLU9gTApv8Rd_choaYLWxwXaxCKinfYePD%24&data=05%7C02%7Cdelbert.simmons%40zigabyte.com%7C15ca57a3f3924a6146ba08dd80eb7bcb%7C5f2d630ecdea4cfda145e634cbd11dec%7C0%7C0%7C638808471099097652%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xOhaa6naAplwDH2BHvZW7gOe74VNcD4axA2xeUih4Do%3D&reserved=0<https://urldefense.com/v3/__http://www.zigabyte.com/__;!!MsNKLpFGsw!d8VVFIzsLhgC9SM4EQq1jA77hUnZWVBLU9gTApv8Rd_choaYLWxwXaxCKinfYePD$>>* > | > Character | Competence | Community > > email: delbert.simm...@zigabyte.com > > cell: 803.269.9182 > >
