Description
Hi,
artemis-openwire-protocol embeds dependency org.apache.activemq:activemq-client.
Version is defined in main pom.xml and currently 5.14.5. (Link)
5.14.5 has the following vulnerabilities:
CVE-2018-11775 (BDSA-2018-3183): (7.4) -------------------------------- TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. CVE-2019-0222 (BDSA-2019-0858): (7.5) ------------------------------- In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
I therefore kindly request to update the dependency to the latest version - 5.16.0 at time of writing.
Ran a full verification build with 5.16.0, which was perfectly fine.
Previous similar issue: ARTEMIS-118
Attachments
Attachments
Issue Links
- links to