[
https://issues.apache.org/jira/browse/ARTEMIS-2938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rico Neubauer updated ARTEMIS-2938:
-----------------------------------
Attachment: ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch
> Update to latest Apache ActiveMQ Client to resolve CVEs
> -------------------------------------------------------
>
> Key: ARTEMIS-2938
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2938
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: OpenWire
> Affects Versions: 2.15.0
> Reporter: Rico Neubauer
> Priority: Major
> Attachments:
> ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch
>
>
> Hi,
> artemis-openwire-protocol embeds dependency
> org.apache.activemq:activemq-client.
> Version is defined in main pom.xml and currently 5.14.5.
> ([Link|https://github.com/apache/activemq-artemis/blob/master/pom.xml#L87])
> 5.14.5 has the following vulnerabilities:
> {noformat}
> CVE-2018-11775 (BDSA-2018-3183): (7.4)
> --------------------------------
> TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6
> was missing which could make the client vulnerable to a MITM attack between a
> Java application using the ActiveMQ client and the ActiveMQ server. This is
> now enabled by default.
> CVE-2019-0222 (BDSA-2019-0858): (7.5)
> -------------------------------
> In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead
> to broker Out of Memory exception making it unresponsive.
> {noformat}
> I therefore kindly request to update the dependency to the latest version -
> 5.16.0 at time of writing.
> Ran a full verification build with 5.16.0, which was perfectly fine.
> Previous similar issue: ARTEMIS-118
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
