Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-8562

Spring4shell vulnerability mitigation

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Duplicate
    • 5.16.4
    • 5.17.1
    • AMQP

    Description

      Severity : Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0

      Weakness : Sonatype CWE: 470

      Source : Sonatype Data Research

      Explanation : The spring-beans package is vulnerable to Remote Code Execution [RCE]. The constructor method in the CachedIntrospectionResults class allows the loading of arbitrary classes. A remote attacker can exploit this vulnerability to upload a malicious class and ultimately result in RCE.
      This issue is due to an insufficient fix for CVE-2010-1622.
      :We are still investigating other avenues of attack but out of an abundance of caution, and media attention, are releasing this advisory now.

      Detection : The application is vulnerable by using this component, if using Java version 9 or above.

      Mitigation: Upgrade spring version to latest available.

      Attachments

        Issue Links

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              shuraut Shubhangi Raut
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: