And back to your question, jackson (including jackson-databind) is used only in webconsole (and partition but that's rare ;)).
So basically, if you don't use/expose ActiveMQ WebConsole, you don't have any risk. Furthermore, jackson databind is used in webconsole to marshall/unmarshall console objects, so it's "controlled". IMHO, the risk is quite null. Regards JB On Fri, Oct 28, 2022 at 11:48 AM Peter Raymond <peter.raym...@microfocus.com.invalid> wrote: > > Hi, > > I see the latest version of ActiveMQ Broker (5.17.2) includes Jackson > Databind 2.13.3 which is vulnerable to recent potential security (resource > exhaustion) issues: > https://nvd.nist.gov/vuln/detail/CVE-2022-42003 > https://nvd.nist.gov/vuln/detail/CVE-2022-42004 > > Unfortunately some of the products I work with are still using Java 8 so are > actually using ActiveMQ 5.16.5, so, even if a new version of 5.17.x is > release with updated version of Jackson Databind we would not be able to use > it. > > So we are trying to understand the impact of these vulnerabilities on > ActiveMQ to see if it would affect our customers and to understand the > severity of the issues. > It looks like these issues are only exploitable if the > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. > What do you guys think, would ActiveMQ really be vulnerable to these issues? > > Regards, > -- > Peter Raymond > Principal Software Architect > Micro Focus | Serena Software > Tel: +44 (0)1727 813362 > mailto: peter.raym...@microfocus.com<mailto:peter.raym...@microfocus.com> > WWW: https://www.microfocus.com >