Re: CVE-2023-46604 distribution

Mon, 13 Nov 2023 07:52:37 -0800 

Thanks for the explanation. I indeed checked the wrong dependency.
While the CVE was published on Friday 27th, I checked Sunday 29th October with dependency-check, and at that time no issue was shown. After that, I updated dependencies myself, so dependency-check would not find anything any more, but I lost my trust in dependency-check, not reporting issues in a timely matter. I expected not seeing the issue at Maven Central was the cause. I kept manually checking Maven Central for the CVE to appear, but apparently I was checking the wrong one there.
When I force check on old version now, dependency-check does find the vulnerability, but I wonder how long it took. 

Cheers,

Wim




On 13-11-2023 16:17, Justin Bertram wrote:

I believe you're looking at the wrong Maven dependency. The two vulnerable
dependencies are:

   - activemq-client:
https://central.sonatype.com/artifact/org.apache.activemq/activemq-client/versions
   - activemq-openwire-legacy:
https://central.sonatype.com/artifact/org.apache.activemq/activemq-openwire-legacy/versions

If you look at those you can see that the vulnerability is listed.


Justin

On Mon, Nov 13, 2023 at 9:11 AM Wim van Ravesteijn <raveste...@olisa.eu>
wrote:


Hello,

Over 2 weeks ago CVE-2023-46604 with a critical vulnerability was
published, but I wonder if this was done in the proper way. When looking
at Maven central, all versions are marked with 0 vulnerabilities, which
is not correct:


https://central.sonatype.com/artifact/org.apache.activemq/activemq-broker/versions

I suppose this is also the reason dependency-check does not see any
issues with the old ActiveMQ version. That means when people are not
reading all CVE's or subscribed to this mailing list, they are still
unaware of this critical vulnerability.

Shouldn't this be fixed, so more people become aware they are running
vulnerable software?

Cheers,

Wim






--
Wim van Ravesteijn
    Software Engineer
    Infrastructure Specialist

Olisa Solutions B.V.
Dr. van Wiechenweg 10
8025 BZ Zwolle

email: raveste...@olisa.eu

phone: +31(0)38 7114481
fax: +31(0)38 7114482
web: www.olisa-solutions.nl

Reply via email to