activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bain <tb...@alumni.duke.edu>
Subject Re: Activemq bundled Jetty Jetleak vulnerability
Date Wed, 28 Sep 2016 03:31:54 GMT
Benjamin, did your comment indicate that you have reproduced the
vulnerability in 5.14.0, even though it includes a version of Jetty that
Chris indicates should be unaffected?

Tim

On Sep 27, 2016 9:52 AM, "Christopher Shannon" <
christopher.l.shannon@gmail.com> wrote:

> First, for security vulnerabilities please follow this guide in the future
> http://www.apache.org/security/committers.html
>
> Second, the version that is bundled with ActiveMQ 5.14.0 is version
> 9.2.13.v20150730 and the vulnerability was fixed in version 9.2.9 so there
> should not be an issue.
>
> On Tue, Sep 27, 2016 at 10:55 AM, beku <benjamin.kusch@siemens.com> wrote:
>
> > Hi everybody,
> >
> > it seems the Jetty server bundled with the latest activemq release
> (5.14.0)
> > is prone to the jetleak vulnerability mentioned in CVE-2015-2080 and
> here:
> >
> > https://blog.gdssecurity.com/labs/2015/2/25/jetleak-
> > vulnerability-remote-leakage-of-shared-buffers-in-je.html
> >
> > When exploiting the issue mentioned, the whole activemq instance seems to
> > crash sometimes.
> > This is especially cumbersome when you are on a large network and your
> > production activemq instances are constantly crashed by "vulnerability
> > scanners"...
> >
> > Is this already known by the devs and will there be an update to activemq
> > with a non vulnerable version of jetty?
> >
> > Many Thanks,
> > Benjamin
> >
> >
> >
> > --
> > View this message in context: http://activemq.2283324.n4.
> > nabble.com/Activemq-bundled-Jetty-Jetleak-vulnerability-tp4717035.html
> > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message