activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Hearn (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ARTEMIS-1483) Upgrade beanutils to fix CVE 2015-6420
Date Thu, 26 Oct 2017 17:10:00 GMT

    [ https://issues.apache.org/jira/browse/ARTEMIS-1483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220801#comment-16220801
] 

Mike Hearn commented on ARTEMIS-1483:
-------------------------------------

It may be that Maven is auto-upgrading the dependency of BeanUtils too. I guess it depends
on the build tool used and configuration. The dependency scanner plugin is useful though and
this should be a one-line fix. 

> Upgrade beanutils to fix CVE 2015-6420
> --------------------------------------
>
>                 Key: ARTEMIS-1483
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1483
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>            Reporter: Mike Hearn
>            Assignee: Justin Bertram
>
> In ARTEMIS-309 the version of Apache Commons Collections was upgraded to 3.2.2 however,
this fix was not sufficient because ACC is also pulled in via Apache BeanUtils. This is a
potential problem because it is enough for the bad library to anywhere on the classpath, so
whether Artemis is vulnerable or not may depend on the vagaries of classpath ordering (if
both versions somehow end up in the distribution by mistake).
> BeanUtils has a 1.9.3 release where the dependency was upgraded to fix the CVE. If Artemis
upgrades to BeanUtils 1.9.3 the problem is resolved.
> We noticed this in our project using the OWASP Dependency Scanner:
> https://www.owasp.org/index.php/OWASP_Dependency_Check
> It'd be a great thing for you guys to start using this wonderful plugin too. The reports
it generates are excellent.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message