activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Shannon <christopher.l.shan...@gmail.com>
Subject Re: Activemq bundled Jetty Jetleak vulnerability
Date Tue, 27 Sep 2016 15:51:31 GMT
First, for security vulnerabilities please follow this guide in the future
http://www.apache.org/security/committers.html

Second, the version that is bundled with ActiveMQ 5.14.0 is version
9.2.13.v20150730 and the vulnerability was fixed in version 9.2.9 so there
should not be an issue.

On Tue, Sep 27, 2016 at 10:55 AM, beku <benjamin.kusch@siemens.com> wrote:

> Hi everybody,
>
> it seems the Jetty server bundled with the latest activemq release (5.14.0)
> is prone to the jetleak vulnerability mentioned in CVE-2015-2080 and here:
>
> https://blog.gdssecurity.com/labs/2015/2/25/jetleak-
> vulnerability-remote-leakage-of-shared-buffers-in-je.html
>
> When exploiting the issue mentioned, the whole activemq instance seems to
> crash sometimes.
> This is especially cumbersome when you are on a large network and your
> production activemq instances are constantly crashed by "vulnerability
> scanners"...
>
> Is this already known by the devs and will there be an update to activemq
> with a non vulnerable version of jetty?
>
> Many Thanks,
> Benjamin
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.
> nabble.com/Activemq-bundled-Jetty-Jetleak-vulnerability-tp4717035.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message