It may also be reassuring that UNWRAP_SINGLE_VALUE_ARRAYS is not enabled by
default, and it is not found anywhere in the ActiveMQ code.
Bruce
On Sat, Oct 29, 2022 at 7:14 AM Jean-Baptiste Onofré
wrote:
> And back to your question, jackson (including jackson-databind) is
> used only in
And back to your question, jackson (including jackson-databind) is
used only in webconsole (and partition but that's rare ;)).
So basically, if you don't use/expose ActiveMQ WebConsole, you don't
have any risk. Furthermore, jackson databind is used in webconsole to
marshall/unmarshall console
Hi,
It's already on track, with Jira and PR:
https://issues.apache.org/jira/browse/AMQ-9130
https://github.com/apache/activemq/pull/925
I plan to submit 5.17.3 release to vote next week.
Regards
JB
On Fri, Oct 28, 2022 at 11:48 AM Peter Raymond
wrote:
>
> Hi,
>
> I see the latest version of
Hi,
I see the latest version of ActiveMQ Broker (5.17.2) includes Jackson Databind
2.13.3 which is vulnerable to recent potential security (resource exhaustion)
issues:
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Unfortunately some of the
