[ https://issues.apache.org/jira/browse/ARTEMIS-2938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rico Neubauer updated ARTEMIS-2938: ----------------------------------- Attachment: ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch > Update to latest Apache ActiveMQ Client to resolve CVEs > ------------------------------------------------------- > > Key: ARTEMIS-2938 > URL: https://issues.apache.org/jira/browse/ARTEMIS-2938 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: OpenWire > Affects Versions: 2.15.0 > Reporter: Rico Neubauer > Priority: Major > Attachments: > ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch > > > Hi, > artemis-openwire-protocol embeds dependency > org.apache.activemq:activemq-client. > Version is defined in main pom.xml and currently 5.14.5. > ([Link|https://github.com/apache/activemq-artemis/blob/master/pom.xml#L87]) > 5.14.5 has the following vulnerabilities: > {noformat} > CVE-2018-11775 (BDSA-2018-3183): (7.4) > -------------------------------- > TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 > was missing which could make the client vulnerable to a MITM attack between a > Java application using the ActiveMQ client and the ActiveMQ server. This is > now enabled by default. > CVE-2019-0222 (BDSA-2019-0858): (7.5) > ------------------------------- > In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead > to broker Out of Memory exception making it unresponsive. > {noformat} > I therefore kindly request to update the dependency to the latest version - > 5.16.0 at time of writing. > Ran a full verification build with 5.16.0, which was perfectly fine. > Previous similar issue: ARTEMIS-118 -- This message was sent by Atlassian Jira (v8.3.4#803005)