[AMQ-6996] ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 5.15.4
Fix Version/s: 5.15.5, 5.16.0
Component/s: Broker, Web Console
Labels:
None
Environment:

Hide

Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Show
Environment: Customer environment is a mix of Linux and Windows, Gig-LAN (Medical & Finacial services). Will not accept the risk of having even one high severity CVE in thier environment. The cost of (SOX/HIPPA) insurence is too high to allow even one CVE with newly deployed systems.

Description

ActiveMQ 5.15.4 xercesImpl-2.11.0.jar which has one high severity CVE against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.

CVE-2012-0881 Severity:High CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=787104
MLIST - [oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff
Vulnerable Software & Versions:
cpe:/a:apache:xerces2_java:2.11.0 and all previous versions

Attachments

Issue Links

links to

GitHub Pull Request #291

GitHub Pull Request #292

GitHub Pull Request #293

Activity

People

Assignee:: Unassigned

Reporter:: Albert Baker

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 15/Jun/18 15:18

Updated:: 24/Jul/18 01:56

Resolved:: 23/Jul/18 15:26