activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From beku <benjamin.ku...@siemens.com>
Subject Activemq bundled Jetty Jetleak vulnerability
Date Tue, 27 Sep 2016 14:55:12 GMT
Hi everybody,

it seems the Jetty server bundled with the latest activemq release (5.14.0)
is prone to the jetleak vulnerability mentioned in CVE-2015-2080 and here:

https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

When exploiting the issue mentioned, the whole activemq instance seems to
crash sometimes.
This is especially cumbersome when you are on a large network and your
production activemq instances are constantly crashed by "vulnerability
scanners"...

Is this already known by the devs and will there be an update to activemq
with a non vulnerable version of jetty?

Many Thanks,
Benjamin



--
View this message in context: http://activemq.2283324.n4.nabble.com/Activemq-bundled-Jetty-Jetleak-vulnerability-tp4717035.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Mime
View raw message