Hi, We are using a docker container of ActiveMQ 5.17.0 and our vulnerability scanner found the library spring-web-5.3.16.jar which is vulnerable to cve-2016-1000027.
Can you confirm/infirm if Active MQ is affected / whether it uses a Spring remoting endpoint? More details about this vulnerability: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. https://nvd.nist.gov/vuln/detail/cve-2016-1000027 Thank you!