for 2 and 3, the fix is in the http endpoint configuration for hawtio for 1, configuring jolokia.policyLocation is all that is required. that was not possible in earlier versions of A-MQ.
I don't think any of the above are relevant to activemq 5. On Thu, 17 Oct 2019 at 12:53, j...@nanthrax.net <j...@nanthrax.net> wrote: > > > Hi Colm > > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases. > > Thanks for the reminder. > > Regards > JB > > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh > <cohei...@apache.org> wrote: > Hi, > > I previously posted this to the private list (last year), but I didn't get > any reply - so maybe I'll have more luck here :-) > > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which have > no "fix" version associated with them. Please give me some feedback on the > following: > > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 ( > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is > marked as "WONTFIX", so I'm not sure if this was accepted as a valid issue > or not? > > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported against > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to > do with AMQ. Could someone confirm this? Was there any fix made to the AMQ > codebase for this issue? > > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported against > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to > do with AMQ. Could someone confirm this? Was there any fix made to the AMQ > codebase for this issue? > > I can communicate the findings with NIST to update the CVEs if I get some > feedback. > > Colm. > > >