activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Bertram <>
Subject Re: CVE-2016-1000031 vulnerability on commons-fileupload
Date Mon, 11 Mar 2019 19:44:13 GMT
Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a
directory named webapps/hawtio.

Also, the information on the CVE [2] states:

  Per Apache: "Having reviewed your report we have concluded that it does
not represent a valid vulnerability in Apache Commons File Upload. If an
application deserializes data from an untrusted source without filtering
and/or validation that is an application vulnerability not a vulnerability
in the library a potential attacker might leverage."

Therefore, you probably want to follow-up with the Hawtio community on
whether or not this could be exploited in their web app and/or if version
1.3.3 of that jar could be used to mitigate the risk.



On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti <> wrote:

> Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team
> notified us the vulnerability CVE-2016-1000031 on library
> commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib.
> How can we mitigate it?
> Is it possible to take library commons-fileupload-1.3.3.jar and replace the
> old file? Is it compatible with activeMQ?
> Thank you
> Matteo
> --
> Sent from:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message