From users-return-51032-archive-asf-public=cust-asf.ponee.io@activemq.apache.org Mon Mar 11 19:44:42 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 563AA180657 for ; Mon, 11 Mar 2019 20:44:42 +0100 (CET) Received: (qmail 34473 invoked by uid 500); 11 Mar 2019 19:44:41 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 34462 invoked by uid 99); 11 Mar 2019 19:44:41 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Mar 2019 19:44:41 +0000 Received: from mail-oi1-f178.google.com (mail-oi1-f178.google.com [209.85.167.178]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 42C3E3563 for ; Mon, 11 Mar 2019 19:44:40 +0000 (UTC) Received: by mail-oi1-f178.google.com with SMTP id u128so126574oie.2 for ; Mon, 11 Mar 2019 12:44:40 -0700 (PDT) X-Gm-Message-State: APjAAAWxKZecavsWgqJCpyTW/BsnbhA8mmkFwn50s/A0KesNJFsmMWB4 Oicm3maMkh6GEaAXdptjE0lJJwWjYZM84Ii+Y2SSpQ== X-Google-Smtp-Source: APXvYqywAa8UCJ/Cpsbpo2R0cxzENH8iTntcrKadilqvsusdeQM6ftoxPDojbyUFqQJCuFWoNaxOJqczHzHMzIryi5M= X-Received: by 2002:aca:c511:: with SMTP id v17mr310141oif.65.1552333479644; Mon, 11 Mar 2019 12:44:39 -0700 (PDT) MIME-Version: 1.0 References: <1552315369178-0.post@n4.nabble.com> In-Reply-To: <1552315369178-0.post@n4.nabble.com> From: Justin Bertram Date: Mon, 11 Mar 2019 14:44:13 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: CVE-2016-1000031 vulnerability on commons-fileupload To: users@activemq.apache.org Content-Type: multipart/alternative; boundary="000000000000a0af6f0583d6cd1b" --000000000000a0af6f0583d6cd1b Content-Type: text/plain; charset="UTF-8" Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a directory named webapps/hawtio. Also, the information on the CVE [2] states: Per Apache: "Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage." Therefore, you probably want to follow-up with the Hawtio community on whether or not this could be exploited in their web app and/or if version 1.3.3 of that jar could be used to mitigate the risk. Justin [1] http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti < matteo.piemonti@accenture.com> wrote: > Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team > notified us the vulnerability CVE-2016-1000031 on library > commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib. > How can we mitigate it? > Is it possible to take library commons-fileupload-1.3.3.jar and replace the > old file? Is it compatible with activeMQ? > > Thank you > Matteo > > > > -- > Sent from: > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html > --000000000000a0af6f0583d6cd1b--