[ https://issues.apache.org/jira/browse/AMQ-6994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16554498#comment-16554498 ]
ASF subversion and git services commented on AMQ-6994: ------------------------------------------------------ Commit b4513004bcb925788e49ff9a067a120abf226d37 in activemq's branch refs/heads/master from [~tabish121] [ https://git-wip-us.apache.org/repos/asf?p=activemq.git;h=b451300 ] AMQ-6994 Update tomcat API version to laetst 8.0.x series Updates version to 8.0.53 to bring in fixes > ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar which has four high severity > CVEs against it. > -------------------------------------------------------------------------------------------- > > Key: AMQ-6994 > URL: https://issues.apache.org/jira/browse/AMQ-6994 > Project: ActiveMQ > Issue Type: Bug > Components: webconsole > Affects Versions: 5.15.4 > Environment: Environment: Customer environment is a mix of Linux and > Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of > having even one high severity CVE in thier environment. The cost of > (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed > systems. > Reporter: Albert Baker > Priority: Blocker > > ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar which has four high severity > CVEs against it. > Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running > the OWASP report. > Referenced In Projects/Scopes: > ActiveMQ :: Assembly:compile > ActiveMQ :: Web:provided > ActiveMQ :: Web Console:provided > CVE-2016-3092 Severity:High CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) > CWE: CWE-20 Improper Input Validation > The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used > in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, > and 9.x before > 9.0.0.M7 and other products, allows remote attackers to cause a denial of > service (CPU consumption) via a long boundary string. > BID - 91453 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742 > CONFIRM - http://tomcat.apache.org/security-7.html > CONFIRM - http://tomcat.apache.org/security-8.html > CONFIRM - http://tomcat.apache.org/security-9.html > CONFIRM - > http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html > CONFIRM - > http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html > CONFIRM - > http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html > CONFIRM - > http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html > CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468 > CONFIRM - > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371 > CONFIRM - > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840 > CONFIRM - > https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 > DEBIAN - DSA-3609 > DEBIAN - DSA-3611 > DEBIAN - DSA-3614 > GENTOO - GLSA-201705-09 > JVN - JVN#89379547 > JVNDB - JVNDB-2016-000121 > MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information > disclosure vulnerability > REDHAT - RHSA-2016:2068 > REDHAT - RHSA-2016:2069 > REDHAT - RHSA-2016:2070 > REDHAT - RHSA-2016:2071 > REDHAT - RHSA-2016:2072 > REDHAT - RHSA-2016:2599 > REDHAT - RHSA-2016:2807 > REDHAT - RHSA-2016:2808 > REDHAT - RHSA-2017:0455 > REDHAT - RHSA-2017:0456 > REDHAT - RHSA-2017:0457 > SECTRACK - 1036427 > SECTRACK - 1036900 > SECTRACK - 1037029 > SECTRACK - 1039606 > SUSE - openSUSE-SU-2016:2252 > UBUNTU - USN-3024-1 > UBUNTU - USN-3027-1 > Vulnerable Software & Versions: (show all) > cpe:/a:apache:tomcat:8.0.24 > CVE-2016-5425 Severity:High CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) > CWE: CWE-264 Permissions, Privileges, and Access Controls > The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, > Oracle Linux, and possibly other Linux distributions uses weak permissions > for /usr/lib > /tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by > leveraging membership in the tomcat group. > BID - 93472 > CONFIRM - > http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html > EXPLOIT-DB - 40488 > MISC - > http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html > MISC - > http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html > MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on > RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, > OracleLinux, RedHat etc.) > REDHAT - RHSA-2016:2046 > SECTRACK - 1036979 > Vulnerable Software & Versions: > cpe:/a:apache:tomcat > CVE-2016-6325 Severity:High CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) > CWE: CWE-264 Permissions, Privileges, and Access Controls > The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web > Server 3.0, and JBoss EWS 2 uses weak permissions for (1) > /etc/sysconfig/tomcat and > (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by > leveraging membership in the tomcat group. > BID - 93478 > CONFIRM - > http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html > CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447 > REDHAT - RHSA-2016:2045 > REDHAT - RHSA-2016:2046 > REDHAT - RHSA-2017:0455 > REDHAT - RHSA-2017:0456 > REDHAT - RHSA-2017:0457 > Vulnerable Software & Versions: > cpe:/a:apache:tomcat:- > CVE-2016-8735 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) > CWE: CWE-284 Improper Access Control > Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x > before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before > 9.0.0.M12 if > JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The > issue exists because this listener wasn't updated for consistency with the > CVE-2016-3427 > Oracle patch that affected credential types. > BID - 94463 > CONFIRM - http://seclists.org/oss-sec/2016/q4/502 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767644 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767656 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767676 > CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767684 > CONFIRM - http://tomcat.apache.org/security-6.html > CONFIRM - http://tomcat.apache.org/security-7.html > CONFIRM - http://tomcat.apache.org/security-8.html > CONFIRM - http://tomcat.apache.org/security-9.html > CONFIRM - > http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html > CONFIRM - > http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html > CONFIRM - https://security.netapp.com/advisory/ntap-20180607-0001/ > DEBIAN - DSA-3738 > REDHAT - RHSA-2017:0455 > REDHAT - RHSA-2017:0456 > REDHAT - RHSA-2017:0457 > SECTRACK - 1037331 > Vulnerable Software & Versions: (show all) -- This message was sent by Atlassian JIRA (v7.6.3#76005)