[AMQ-6990] ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 5.15.4
Fix Version/s: 5.15.5, 5.16.0
Component/s: Web Console
Labels:
None
Environment:

Hide

Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Show
Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Description

ActiveMQ 5.15.4 commons-beanutils-core-1.8.0.jar which has one high severity CVE against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.

CVE-2014-0114 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils
through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as
demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
BID - 67121
BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
CONFIRM - http://advisories.mageia.org/MGASA-2014-0219.html
CONFIRM - http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674128
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674812
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675266
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675387
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675689
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675898
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675972
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676303
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676375
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676931
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27042296
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21675496
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0008.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMQ-6990-AMQ-5.15.x.patch
24/Jul/18 00:14
0.6 kB
Jamie Mark Goodyear
AMQ-6990-AMQ-master.patch
24/Jul/18 00:28
0.6 kB
Jamie Mark Goodyear

Activity

People

Assignee:: Christopher L. Shannon

Reporter:: Albert Baker

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Jun/18 14:51

Updated:: 28/Jul/18 02:32

Resolved:: 27/Jul/18 15:31