Hi! Thanks for the info on the velocity stuff. What about security vulnerability caused by the use of Log4j 1.2.17 by ActiveMQ (CVE-2019-17571)?
Or the Camel JMS 2.25.4 security vulnerability (CVE-2020-11971)? Thanks, -Doug -----Original Message----- From: Matt Pavlovich <mattr...@gmail.com> Sent: Monday, August 30, 2021 3:55 PM To: users@activemq.apache.org Subject: Re: Security issues Hello Doug- Yes. You should be able to update the Velocity dependency to Velocity 2.3 without any problems. Ref: http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23 <http://velocity.apache.org/engine/2.3/upgrading.html#upgrading-from-velocity-22-to-velocity-23> Ref: https://velocity.apache.org/engine/2.3/changes.html <https://velocity.apache.org/engine/2.3/changes.html> ActiveMQ 5.15.x release stream is closed, efforts are now on 5.16.x and the 5.17.x WIP streams. However, swapping out the velocity jar on your own shouldn’t have any impacts. You’ll have to ping the Camel users mailing list to ask about a 2.25.x updated release. Again, I suspect just updating the jar on your own should work fine. NOTE: To other readers— this is not a new ActiveMQ security issue, since ActiveMQ has upgraded Velocity to 2.3 in 5.16.x Thanks, Matt Pavlovich > On Aug 30, 2021, at 3:36 PM, Jackson, Douglas <douglas.s.jack...@siemens.com> > wrote: > > Hi! > I am using activemq 5.16.3 and camel 2.25.4. There appears to be some > security issues with them based on a tool called Dependency-check. > It also flags a security issue with the velocity engine 2.0 (which > camel-velocity 2.25.4 lists as a dependency). > Are these valid? > Is it possible to use a more recent version of the velocity-engine with the > camel-velocity 2.5.4? > Are there any plans to address these in the 5.15.x and 2.25.x releases? > > CVE-2019-17571<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-201 > 9-17571> > CVE-2020-11971<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-202 > 0-11971> > CVE-2020-13936<https://nvd.nist.gov/vuln/detail/CVE-2020-13936> > > Thanks in advance for any guidance, > > -Doug >
