Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a directory named webapps/hawtio.
Also, the information on the CVE [2] states: Per Apache: "Having reviewed your report we have concluded that it does not represent a valid vulnerability in Apache Commons File Upload. If an application deserializes data from an untrusted source without filtering and/or validation that is an application vulnerability not a vulnerability in the library a potential attacker might leverage." Therefore, you probably want to follow-up with the Hawtio community on whether or not this could be exploited in their web app and/or if version 1.3.3 of that jar could be used to mitigate the risk. Justin [1] http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti < matteo.piemo...@accenture.com> wrote: > Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team > notified us the vulnerability CVE-2016-1000031 on library > commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib. > How can we mitigate it? > Is it possible to take library commons-fileupload-1.3.3.jar and replace the > old file? Is it compatible with activeMQ? > > Thank you > Matteo > > > > -- > Sent from: > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html >
