Uploaded image for project: 'ActiveMQ'
  1. ActiveMQ
  2. AMQ-8107

Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 5.15.14
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:

      apache-activemq-5.16.0

      Description

       
      Hi, 
      Please have a look at this vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2020-26217
       
       
      This is reported on XStream before version 1.4.14.
       
      I checked your latest release - apache-activemq-5.16.0 still have the vulnerable XStream jar.
      i.e. xstream-1.4.11.1.jar.
       
      We use ActiveMq in our product and it has been reported as a security vulnerability.
       

      • Can you confirm if ActiveMq is vulnerable to this CVE?
      • If no, then can you confirm which ActiveMq version is safe to use?
      • If yes, then we need an upgraded ActiveMq jar with this fix. Need to know the expected timeline.
         
        Need an urgent response, if possible.
         
        Thanks and regards,
        ~Bipin Chandra

       
       
       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jbonofre Jean-Baptiste Onofré
                Reporter:
                chandra.bipin@gmail.com Bipin Chandra
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: