Uploaded image for project: 'ActiveMQ Classic'
  1. ActiveMQ Classic
  2. AMQ-8107

Does ActiveMQ use the affected functionality within Xstream libraries for CVE-2020-26217

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Duplicate
    • 5.15.14
    • None
    • None
    • None

    • apache-activemq-5.16.0

    Description

       
      Hi, 
      Please have a look at this vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2020-26217
       
       
      This is reported on XStream before version 1.4.14.
       
      I checked your latest release - apache-activemq-5.16.0 still have the vulnerable XStream jar.
      i.e. xstream-1.4.11.1.jar.
       
      We use ActiveMq in our product and it has been reported as a security vulnerability.
       

      • Can you confirm if ActiveMq is vulnerable to this CVE?
      • If no, then can you confirm which ActiveMq version is safe to use?
      • If yes, then we need an upgraded ActiveMq jar with this fix. Need to know the expected timeline.
         
        Need an urgent response, if possible.
         
        Thanks and regards,
        ~Bipin Chandra

       
       
       

      Attachments

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. AMQ-8084 Upgrade to xstream 1.4.14

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              jbonofre Jean-Baptiste Onofré
              chandra.bipin@gmail.com Bipin Chandra
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: