It may also be reassuring that UNWRAP_SINGLE_VALUE_ARRAYS is not enabled by default, and it is not found anywhere in the ActiveMQ code.
Bruce On Sat, Oct 29, 2022 at 7:14 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > And back to your question, jackson (including jackson-databind) is > used only in webconsole (and partition but that's rare ;)). > > So basically, if you don't use/expose ActiveMQ WebConsole, you don't > have any risk. Furthermore, jackson databind is used in webconsole to > marshall/unmarshall console objects, so it's "controlled". > IMHO, the risk is quite null. > > Regards > JB > > On Fri, Oct 28, 2022 at 11:48 AM Peter Raymond > <peter.raym...@microfocus.com.invalid> wrote: > > > > Hi, > > > > I see the latest version of ActiveMQ Broker (5.17.2) includes Jackson > Databind 2.13.3 which is vulnerable to recent potential security (resource > exhaustion) issues: > > https://nvd.nist.gov/vuln/detail/CVE-2022-42003 > > https://nvd.nist.gov/vuln/detail/CVE-2022-42004 > > > > Unfortunately some of the products I work with are still using Java 8 so > are actually using ActiveMQ 5.16.5, so, even if a new version of 5.17.x is > release with updated version of Jackson Databind we would not be able to > use it. > > > > So we are trying to understand the impact of these vulnerabilities on > ActiveMQ to see if it would affect our customers and to understand the > severity of the issues. > > It looks like these issues are only exploitable if the > UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. > > What do you guys think, would ActiveMQ really be vulnerable to these > issues? > > > > Regards, > > -- > > Peter Raymond > > Principal Software Architect > > Micro Focus | Serena Software > > Tel: +44 (0)1727 813362 > > mailto: peter.raym...@microfocus.com<mailto:peter.raym...@microfocus.com > > > > WWW: https://www.microfocus.com > > >