Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or >1.8 in any case) at runtime, even if only using the client JAR (without the additional dependencies required to support embedded brokers using the vm and peer transports, for example).
And second, please confirm, I don't need to worry about these Spring related vulnerabilities if using only the client JAR e.g. for tcp or failover connections, with no embedded brokers. If this second point is correct, then at least it shouldn't be a big deal if some of our client applications do need to reference ActiveMQ client version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+. Thanks, Bruce D On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattr...@gmail.com> wrote: > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and > some 5.16.x would not be impacted. > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> wrote: > > > > @JB — Agreed, so far there is no published exploit that would impact > ActiveMQ. > > > > Here is the lates I was able to find from Spring regarding backports > (sounds like no 4.x patch is coming): > > > > ref: https://github.com/spring-projects/spring-framework/issues/28260 < > https://github.com/spring-projects/spring-framework/issues/28260> > > > > Thanks, > > Matt Pavlovich > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net > <mailto:j...@nanthrax.net>> wrote: > >> > >> Hi, > >> > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict" > >> ;) > >> > >> In the context of ActiveMQ, the CVE is not very severe IMHO. > >> > >> Regards > >> JB > >> > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com > <mailto:mattr...@gmail.com>> wrote: > >>> > >>> @JB— > >>> > >>> The Spring release documentation is indicating that “older > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. > >>> > >>> If we do not get a Spring 4.x fix, we may need a corresponding > announcement deprecating 5.16.x. > >>> > >>> Thoughts? > >>> Matt Pavlovich > >>> > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net > <mailto:j...@nanthrax.net>> wrote: > >>>> > >>>> Hi guys, > >>>> > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to > >>>> submit it to vote during the weekend or next week. > >>>> > >>>> One of the main reasons is to update to Spring 5.3.18 which includes > >>>> CVE fixes ( > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > >). > >>>> I also have other fixes/updates to add. > >>>> > >>>> Regards > >>>> JB > >>> > > > >
