Hi, I see the latest version of ActiveMQ Broker (5.17.2) includes Jackson Databind 2.13.3 which is vulnerable to recent potential security (resource exhaustion) issues: https://nvd.nist.gov/vuln/detail/CVE-2022-42003 https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Unfortunately some of the products I work with are still using Java 8 so are actually using ActiveMQ 5.16.5, so, even if a new version of 5.17.x is release with updated version of Jackson Databind we would not be able to use it. So we are trying to understand the impact of these vulnerabilities on ActiveMQ to see if it would affect our customers and to understand the severity of the issues. It looks like these issues are only exploitable if the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. What do you guys think, would ActiveMQ really be vulnerable to these issues? Regards, -- Peter Raymond Principal Software Architect Micro Focus | Serena Software Tel: +44 (0)1727 813362 mailto: peter.raym...@microfocus.com<mailto:peter.raym...@microfocus.com> WWW: https://www.microfocus.com
