Pavan, your question(s) don't appear related to the original subject of this email thread (i.e. CVE-2022-22965). Please don't hijack other people's threads. If you need to ask a question just start a new thread. Thanks!
Justin On Fri, Jul 21, 2023 at 1:11 AM Pavan Gujjari <pavan.gujj...@celigo.com> wrote: > Hi Team, > > I am writing to inquire about a few questions that are mentioned below. > > 1. Does ActiveMQ whitelist the IP address because it was blacklisted > while utilizing the localhost that we set up per the documentation > < > https://activemq.apache.org/getting-started#UsingHomebrewinstalleronOSX> > ? > 2. Do we have any instructions or documentation for whitelisting the IP? > 3. Is there any further REST API documentation available? Following the > REST > API documentation <https://activemq.apache.org/rest>, we discovered > just > one endpoint, "To send a message to queue/topic," and no endpoint > related > to subscribing/publishing to a topic. > > Thank you so much for considering my request. I eagerly await your response > and look forward to the opportunity to learn from your expertise. > > Thank you! > Pavan Gujjari > > Associate Software Analyst > +91 9989592163 <+91+9989592163> > pavan.gujj...@celigo.com > www.celigo.com > [image: twitter] <https://twitter.com/celigoinc> > [image: linkedin] <https://www.linkedin.com/company/celigo-inc> > <https://celigo.com/emailsig> > > > On Fri, Jul 21, 2023 at 11:36 AM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > Hi > > > > Yes 5.17.0 uses Spring 5.3.16 (and spring-beans). I invite you to > > upgrade to ActiveMQ 5.17.5 whichs uses Spring 5.3.27 (which fixes the > > CVE issue). > > > > Regards > > JB > > > > On Fri, Jul 21, 2023 at 6:13 AM Marian Stanciu <marian.stan...@tufin.com > > > > wrote: > > > > > > Hi, > > > > > > We are using a docker container of ActiveMQ 5.17.0 and our > vulnerability > > scanner found the library spring-beans-5.3.16.jar which is vulnerable to > > CVE-2022-22965. > > > > > > Can you confirm/infirm if Active MQ is affected? > > > > > > More details about this vulnerability: > > > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > > vulnerable to remote code execution (RCE) via data binding. The specific > > exploit requires the application to run on Tomcat as a WAR deployment. If > > the application is deployed as a Spring Boot executable jar, i.e., the > > default, it is not vulnerable to the exploit. However, the nature of the > > vulnerability is more general, and there may be other ways to exploit it. > > > > > > https://nvd.nist.gov/vuln/detail/cve-2022-22965 > > >
