Hi Yes 5.17.0 uses Spring 5.3.16 (and spring-beans). I invite you to upgrade to ActiveMQ 5.17.5 whichs uses Spring 5.3.27 (which fixes the CVE issue).
Regards JB On Fri, Jul 21, 2023 at 6:13 AM Marian Stanciu <marian.stan...@tufin.com> wrote: > > Hi, > > We are using a docker container of ActiveMQ 5.17.0 and our vulnerability > scanner found the library spring-beans-5.3.16.jar which is vulnerable to > CVE-2022-22965. > > Can you confirm/infirm if Active MQ is affected? > > More details about this vulnerability: > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If the > application is deployed as a Spring Boot executable jar, i.e., the default, > it is not vulnerable to the exploit. However, the nature of the vulnerability > is more general, and there may be other ways to exploit it. > > https://nvd.nist.gov/vuln/detail/cve-2022-22965