Re: Java_December vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2015-12-10 10:37:15 -0500, christopher.l.shan...@gmail.com wrote: > Also, this fix will be included in 5.12.2 as well when that is released. Based on AMQ-6013 it looks like the fix has been included in 5.11.x, 5.12.x, and 5.13.x. Any chance we ca

Re: Java_December vulnerability

Also, this fix will be included in 5.12.2 as well when that is released. On Wed, Dec 9, 2015 at 5:41 AM, Dejan Bosanac wrote: > Hi Tim, yes, it prevents untrusted classes deserializing inside the broker, > including when you want to look at them in the web console. > > Regards > -- > Dejan Bosan

Re: Java_December vulnerability

Hi Tim, yes, it prevents untrusted classes deserializing inside the broker, including when you want to look at them in the web console. Regards -- Dejan Bosanac about.me/dejanb On Tue, Dec 8, 2015 at 10:27 PM, Tim Bain wrote: > The mitigation section simply says to upgrade to 5.13.0, which impl

Re: Java_December vulnerability

The mitigation section simply says to upgrade to 5.13.0, which implies that 5.13.0 fixes all categories of this problem, including webconsole. Is that accurate? Tim On Dec 8, 2015 10:09 AM, "Dejan Bosanac" wrote: > Hi, > > this has just been announced with its own CVE-2015-5254. More info can b

Re: Java_December vulnerability

Hi, this has just been announced with its own CVE-2015-5254. More info can be found at http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt Regards -- Dejan Bosanac about.me/dejanb On Tue, Dec 8, 2015 at 4:41 PM, iali wrote: > Thanks Tim, > > I did had a look at t

Re: Java_December vulnerability

Thanks Tim, I did had a look at that site and it has got a comprehensive explanation against this vulnerability. Also I have been having a discussion under AMQ-6013 and it seems that we can use CVE-2015-4852 based on comment in https://issues.

Re: Java_December vulnerability

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ was a good (though repetitive) overview of the vulnerability, and of one proposed fix (cracking open the commons-collections JAR and removing the InvokerTr

Re: Java_December vulnerability

Thanks jahlborn, I am currently investigating this further to confirm if ActiveMQ 5.13.0 has got this impact or will it fix the CVE. For your reference I am mainly looking at following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 http://cve.mitre.org/cgi-bin/cvename.cgi?name

Re: Java_December vulnerability

It is hard to determine based on that message and https://issues.apache.org/jira/browse/COLLECTIONS-580. Based on my searching so far, it looks like that feature of collections is not used in ActiveMQ. Specifically, I searched on InvokerTransformer and did not find any occurrence in the code. It

Re: Java_December vulnerability

This certainly seems related, although it predates the vulerability notice: https://issues.apache.org/jira/browse/AMQ-6013 -- View this message in context: http://activemq.2283324.n4.nabble.com/Java-December-vulnerability-tp4704610p4704615.html Sent from the ActiveMQ - User mailing list archi