Hello Aditya- ActiveMQ is not vulnerable— the current exploits require spring web components, be running in Tomcat as a war and using JDK 9+.
Which security scanner are you using? It sounds like it is over zealous in identifying problematic instances. Thanks, Matt Pavlovich > On Apr 11, 2022, at 2:48 AM, Aditya Nautiyal > <[email protected]> wrote: > > Hi Team, > Our scanners are started complaining about SpringShell Critical issues under > /opt/apache-activemq* as shown below : > > > We recently upgraded our systems to 5.16.4, can you please advise what is the > plan to remediate this from ActiveMQ side on this. > > > > First Last > Job Title > Office: +xxx+xx+xxxxxxx > Mobile: +xxx+xx+xxxxxxx > > > www.algosec.com > <http://www.algosec.com/?utm_source=email&utm_medium=corp+email+signature&utm_campaign=email+signature>
