There were a few versions of ActiveMQ 5.x that packaged HawtIO with the broker, but within a few versions it was removed and users would have to add it manually. From memory, I think it was present in 5.9 and 5.10 and removed thereafter.
Justin's response matches up with my belief that 5.11.1 was a version that didn't have HawtIO bundled, so it would have been installed manually by someone on your project (or someone upgraded in place from a version that did have it bundled and didn't clear out the things that were no longer present, which is the same thing). In any case, Justin's recommendation to work with the HawtIO community about this potential vulnerability in their software is the way to go. Tim On Mon, Mar 11, 2019, 1:44 PM Justin Bertram <jbert...@apache.org> wrote: > Taking a look at the download for ActiveMQ 5.11 [1] I don't even see a > directory named webapps/hawtio. > > Also, the information on the CVE [2] states: > > Per Apache: "Having reviewed your report we have concluded that it does > not represent a valid vulnerability in Apache Commons File Upload. If an > application deserializes data from an untrusted source without filtering > and/or validation that is an application vulnerability not a vulnerability > in the library a potential attacker might leverage." > > Therefore, you probably want to follow-up with the Hawtio community on > whether or not this could be exploited in their web app and/or if version > 1.3.3 of that jar could be used to mitigate the risk. > > > Justin > > [1] > > http://archive.apache.org/dist/activemq/5.11.0/apache-activemq-5.11.0-bin.zip > [2] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 > > On Mon, Mar 11, 2019 at 11:10 AM matteo.piemonti < > matteo.piemo...@accenture.com> wrote: > > > Hi, we have an Apache ActiveMQ 5.11.0 installation and our security team > > notified us the vulnerability CVE-2016-1000031 on library > > commons-fileupload-1.3.1.jar, present into webapps/hawtio/WEB-INF/lib. > > How can we mitigate it? > > Is it possible to take library commons-fileupload-1.3.3.jar and replace > the > > old file? Is it compatible with activeMQ? > > > > Thank you > > Matteo > > > > > > > > -- > > Sent from: > > http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html > > >
