Hi Stefan- FYI— updated ActiveMQ releases for 6.1.x, 6.0.x, 5.18.x & 5.17.x are underway.
This CVE does not appear to apply to ActiveMQ, since ActiveMQ does not use the vulnerable class 'UriComponentsBuilder '. Additionally, this issue can be readily avoided by disabling the web console which eliminates usage of the spring-web dependency. Thanks, Matt Pavlovich > On Feb 27, 2024, at 12:49 AM, Boeltl, Stefan > <stefan.boe...@fisglobal.com.INVALID> wrote: > > Hi, > > We're getting security findings regarding CVE-2024-22243 when scanning > ActiveMQ 5.18.3. > Didn't want to raise a ticket straight away but first check with "the powers > that be", whether CVE-2024-22243 is relevant and an upgrade to version 5.3.32 > is being planned for 5.18.4 since I could not find a ticket for this yet. > (If an upgrade is being planned, it would be great to get a feeling of when > 5.18.4 will be released...) > Thanks! > > Regards > Stefan > The information contained in this message is proprietary and/or confidential. > If you are not the intended recipient, please: (i) delete the message and all > copies; (ii) do not disclose, distribute or use the message in any manner; > and (iii) notify the sender immediately. In addition, please be aware that > any message addressed to our domain is subject to archiving and review by > persons other than the intended recipient. Thank you. Message Encrypted via > TLS connection
