[ARTEMIS-2938] Update to latest Apache ActiveMQ Client to resolve CVEs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.15.0
Fix Version/s: 2.17.0
Component/s: OpenWire
Labels:
None

Description

Hi,

artemis-openwire-protocol embeds dependency org.apache.activemq:activemq-client.
Version is defined in main pom.xml and currently 5.14.5. (Link)

5.14.5 has the following vulnerabilities:

CVE-2018-11775 (BDSA-2018-3183): (7.4)
--------------------------------
TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

CVE-2019-0222 (BDSA-2019-0858): (7.5)
-------------------------------
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

I therefore kindly request to update the dependency to the latest version - 5.16.0 at time of writing.
Ran a full verification build with 5.16.0, which was perfectly fine.

Previous similar issue: ~~ARTEMIS-118~~

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ARTEMIS-2938-Update-to-latest-Apache-ActiveMQ-Client-to-r.patch
09/Oct/20 09:32
0.8 kB
Rico Neubauer

Issue Links

links to

GitHub Pull Request #3299

Activity

People

Assignee:: Unassigned

Reporter:: Rico Neubauer

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Oct/20 09:32

Updated:: 09/Feb/21 21:24

Resolved:: 17/Nov/20 14:49

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m