Hi Team, I am writing to inquire about a few questions that are mentioned below.
1. Does ActiveMQ whitelist the IP address because it was blacklisted while utilizing the localhost that we set up per the documentation <https://activemq.apache.org/getting-started#UsingHomebrewinstalleronOSX> ? 2. Do we have any instructions or documentation for whitelisting the IP? 3. Is there any further REST API documentation available? Following the REST API documentation <https://activemq.apache.org/rest>, we discovered just one endpoint, "To send a message to queue/topic," and no endpoint related to subscribing/publishing to a topic. Thank you so much for considering my request. I eagerly await your response and look forward to the opportunity to learn from your expertise. Thank you! Pavan Gujjari Associate Software Analyst +91 9989592163 <+91+9989592163> pavan.gujj...@celigo.com www.celigo.com [image: twitter] <https://twitter.com/celigoinc> [image: linkedin] <https://www.linkedin.com/company/celigo-inc> <https://celigo.com/emailsig> On Fri, Jul 21, 2023 at 11:36 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi > > Yes 5.17.0 uses Spring 5.3.16 (and spring-beans). I invite you to > upgrade to ActiveMQ 5.17.5 whichs uses Spring 5.3.27 (which fixes the > CVE issue). > > Regards > JB > > On Fri, Jul 21, 2023 at 6:13 AM Marian Stanciu <marian.stan...@tufin.com> > wrote: > > > > Hi, > > > > We are using a docker container of ActiveMQ 5.17.0 and our vulnerability > scanner found the library spring-beans-5.3.16.jar which is vulnerable to > CVE-2022-22965. > > > > Can you confirm/infirm if Active MQ is affected? > > > > More details about this vulnerability: > > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If > the application is deployed as a Spring Boot executable jar, i.e., the > default, it is not vulnerable to the exploit. However, the nature of the > vulnerability is more general, and there may be other ways to exploit it. > > > > https://nvd.nist.gov/vuln/detail/cve-2022-22965 >