activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Bertram <jbert...@apache.org>
Subject Re: CVE-2016-1000031 vulnerability on commons-fileupload
Date Mon, 11 Mar 2019 19:44:13 GMT
Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a
directory named webapps/hawtio.

Also, the information on the CVE [2] states:

  Per Apache: "Having reviewed your report we have concluded that it does
not represent a valid vulnerability in Apache Commons File Upload. If an
application deserializes data from an untrusted source without filtering
and/or validation that is an application vulnerability not a vulnerability
in the library a potential attacker might leverage."

Therefore, you probably want to follow-up with the Hawtio community on
whether or not this could be exploited in their web app and/or if version
1.3.3 of that jar could be used to mitigate the risk.


Justin

[1]
http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031

On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti <
matteo.piemonti@accenture.com> wrote:

> Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team
> notified us the vulnerability CVE-2016-1000031 on library
> commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib.
> How can we mitigate it?
> Is it possible to take library commons-fileupload-1.3.3.jar and replace the
> old file? Is it compatible with activeMQ?
>
> Thank you
> Matteo
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message