Re: CVE presence in artemis-2.37.0

Fri, 25 Oct 2024 06:15:39 -0700 

These first three are related to Apache Geronimo. I don't know why these
would be reported for ActiveMQ Artemis. We don't ship any jars from
Geronimo so these are not valid:
  *   CVE-2008-5518 <https://github.com/advisories/GHSA-xm92-rf24-h74w>
  *   CVE-2009-0038 <https://github.com/advisories/GHSA-c372-x57p-6x7v>
  *   CVE-2009-0039 <https://github.com/advisories/GHSA-678x-xfp4-r92r>

I can understand CVE-2024-6763 because it does impact the version of Jetty
that we shipped in 2.37.0, but the CVE indicates the problem only occurs
for applications using HttpURI which we do not:

> The vulnerable component is the HttpURI class when used as a utility
> class in an application. The Jetty usage of the class is not vulnerable.

We don't ship/use logback so CVE-2023-6378 is not valid.

I can also understand CVE-2024-8184 because it also impacts the version of
Jetty that we shipped in 2.37.0, but the CVE indicates the problem only
occurs when using ThreadLimitHandler which we do not.

CVE-2024-47554 is not valid because the version of commons-io that we ship
in 2.37.0 is not vulnerable.

I'd say your scanning tool isn't doing a very good job. Only two of the
seven issues reported were even potentially problematic. Ultimately all of
these are false positives.

Out of curiosity, what scanning tool are you using, and what exactly are
you scanning? Did the tool provide any additional details to clarify
specifically why these CVEs were reported?


Justin

On Fri, Oct 25, 2024 at 4:27 AM Anzile, Christophe
<christophe.anz...@hpe.com.invalid> wrote:

> Hi
> Our vulnerability scanning tool is reporting following CVEs for artemis
> 2.37.0
>
>   *   CVE-2008-5518<https://github.com/advisories/GHSA-xm92-rf24-h74w>
>   *   CVE-2009-0038<https://github.com/advisories/GHSA-c372-x57p-6x7v>
>   *   CVE-2009-0039<https://github.com/advisories/GHSA-678x-xfp4-r92r>
>   *   CVE-2024-6763<https://github.com/advisories/GHSA-qh8g-58pp-2wxh>
>   *   CVE-2023-6378<https://github.com/advisories/GHSA-vmq6-5m68-f53m>
>   *   CVE-2024-8184<https://github.com/advisories/GHSA-g8m5-722r-8whq>
>   *   CVE-2024-47554<https://github.com/advisories/GHSA-78wr-2p64-hpwj>
> Are they really there ?
> If yes, any plan to fix them?
> Thanx.
>

Reply via email to