Hi, It's already on track, with Jira and PR:
https://issues.apache.org/jira/browse/AMQ-9130 https://github.com/apache/activemq/pull/925 I plan to submit 5.17.3 release to vote next week. Regards JB On Fri, Oct 28, 2022 at 11:48 AM Peter Raymond <peter.raym...@microfocus.com.invalid> wrote: > > Hi, > > I see the latest version of ActiveMQ Broker (5.17.2) includes Jackson > Databind 2.13.3 which is vulnerable to recent potential security (resource > exhaustion) issues: > https://nvd.nist.gov/vuln/detail/CVE-2022-42003 > https://nvd.nist.gov/vuln/detail/CVE-2022-42004 > > Unfortunately some of the products I work with are still using Java 8 so are > actually using ActiveMQ 5.16.5, so, even if a new version of 5.17.x is > release with updated version of Jackson Databind we would not be able to use > it. > > So we are trying to understand the impact of these vulnerabilities on > ActiveMQ to see if it would affect our customers and to understand the > severity of the issues. > It looks like these issues are only exploitable if the > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. > What do you guys think, would ActiveMQ really be vulnerable to these issues? > > Regards, > -- > Peter Raymond > Principal Software Architect > Micro Focus | Serena Software > Tel: +44 (0)1727 813362 > mailto: peter.raym...@microfocus.com<mailto:peter.raym...@microfocus.com> > WWW: https://www.microfocus.com >