Hi all, An update on this long-running task. RedHat have updated the descriptions for the following two CVEs to make it clearer that they affect RedHat AMQ and not Apache, and then NIST changed the CPE scores to remove Apache ActiveMQ:
https://nvd.nist.gov/vuln/detail/CVE-2015-5183 https://nvd.nist.gov/vuln/detail/CVE-2015-5184 So for these two CVEs, vulnerability scanners are no longer flagging Apache ActiveMQ as vulnerable. The remaining task is https://nvd.nist.gov/vuln/detail/CVE-2015-5182 I am waiting on clarification from RedHat here, as the upstream bug is marked as "WONTFIX". Colm. On Wed, Feb 26, 2020 at 1:15 PM Mark J Cox <m...@apache.org> wrote: > Yes, they can update the master CVE (Mitre) description which appears > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5183 which NVD are > downstream from. > > Mark > > On Wed, Feb 26, 2020 at 1:12 PM Colm O hEigeartaigh <cohei...@apache.org> > wrote: > > > Hi Mark, > > > > OK I will do thanks. Just for clarity, when you say they can update the > > entry without Mitre - are you referring to the description > > https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in > > https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ? > > > > Colm. > > > > On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <m...@apache.org> wrote: > > > >> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to > >> them via secal...@redhat.com and ask them to update the entry (they > have > >> the ability to do this themselves and very quickly and easily without > >> having to involve Mitre at all). Once that is done which should take > only > >> a day or two you can ask NIST to update the CPE list based on that > change. > >> > >> Cheers, Mark > >> > >> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh < > cohei...@apache.org> > >> wrote: > >> > >>> Hi all, > >>> > >>> A few months ago I raised the issue of a number of CVEs reported > against > >>> AMQ which have no "fix for" version. I have some time again to look > into > >>> this, and so I'd like to take them one by one. > >>> > >>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183 > >>> > >>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes > >>> on cookies." > >>> > >>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182 > ) > >>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although > note > >>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11 > >>> release (https://issues.apache.org/jira/browse/AMQ-7322). > >>> > >>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST > >>> and request that they change the CPE score to stop referencing > ActiveMQ, > >>> and also update the description not to refer to ActiveMQ. > >>> > >>> It would be great if someone from the PMC could give me a +1 to this > >>> plan, and I will be able to link to this thread when contacting NIST. > >>> > >>> Colm. > >>> > >> >
