Thanks Gary. OK so for 2 + 3, the issue is in Hawtio and not AMQ, so I will alert NIST about changing the CPE score for these issues so that we don't see CVEs appearing when scanning AMQ artifacts.
Just to get a bit more clarity on your comment for point (1) - grepping the AMQ source for "jolokia.policyLocation" doesn't throw anything up. There is a reference in the Hawt IO source though for it ( https://github.com/hawtio/hawtio/search?q=jolokia.policyLocation&unscoped_q=jolokia.policyLocation). Does this mean the issue was not fixed in AMQ? Colm. On Thu, Oct 17, 2019 at 2:32 PM Gary Tully <gary.tu...@gmail.com> wrote: > for 2 and 3, the fix is in the http endpoint configuration for hawtio > for 1, configuring jolokia.policyLocation is all that is required. > that was not possible in earlier versions of A-MQ. > > I don't think any of the above are relevant to activemq 5. > > > On Thu, 17 Oct 2019 at 12:53, j...@nanthrax.net <j...@nanthrax.net> wrote: > > > > > > Hi Colm > > > > I will do a review as I'm preparing 5.16.0 and 5.15.11 releases. > > > > Thanks for the reminder. > > > > Regards > > JB > > > > On Thursday, October 17, 2019 13:52 CEST, Colm O hEigeartaigh < > cohei...@apache.org> wrote: > > Hi, > > > > I previously posted this to the private list (last year), but I didn't > get > > any reply - so maybe I'll have more luck here :-) > > > > I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which > have > > no "fix" version associated with them. Please give me some feedback on > the > > following: > > > > 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 ( > > https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is > > marked as "WONTFIX", so I'm not sure if this was accepted as a valid > issue > > or not? > > > > 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported > against > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing > to > > do with AMQ. Could someone confirm this? Was there any fix made to the > AMQ > > codebase for this issue? > > > > 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported > against > > the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we > > don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing > to > > do with AMQ. Could someone confirm this? Was there any fix made to the > AMQ > > codebase for this issue? > > > > I can communicate the findings with NIST to update the CVEs if I get some > > feedback. > > > > Colm. > > > > > > >
