geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Munna <abhilash.kyat...@gmail.com>
Subject Re: Vulnerability issue with Apache geronimo jars in ActiveMQ Latest version.
Date Mon, 02 Jul 2018 05:38:20 GMT
No, There is no class mentioned in the report. 

Report just says as below Apache activeMQ has these jars and this may lead
to hash collisions.

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters
without restricting the ability to trigger hash collisions predictably,
which allows remote attackers to cause a denial of service (CPU consumption)
by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

You can see this in below link :
https://nvd.nist.gov/vuln/detail/CVE-2011-5034

Here it says solution as replace latest apache geronimo jar but this part of
Apache activemq latest version and not using independent jars.How can i fix
it.?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034





--
Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html

Mime
View raw message