Hi Justin, Thanx for your reply. For Apache Geronimo, it's very strange because I don't put it either in my solution. Those 3 CVEs are reported on a module called 'console' with no version , so very strange. Probably a bug in the tool indeed.
For the ones regarding logback and commons-io, it's my mistake, sorry about that. Please disregard CVE-2023-6378 + CVE-2024-47554. I put those as dependencies to be able to have a single way of logging for all my images. For the ones concerning jetty-10.0.22, I will mark them as not vulnerable, thanx for the confirmation. For your curiosity, our scanning tool is based on docker images, so it scans the entire application + OS. In this specific case, I start from a common openjdk-17-runtime base image (taken from a public registry) on which I add the full artemis-bin.tar.gz + the 2 logback/commons-io jars. Then we use syft to generate a sbom and then we upload everything in our home-made report tool called VTN (for Vulnerability Tracker and Notifications) Basically, this tool provides a view of vulnerabilities per image. I don't claim the tool is free of bugs.. especially with certain types of source feeds (could be REDHAT, NVD, MAVEN,...) Unfortunately, there is not much details except the module impacted, the CVSSV3 score and things like that. Best regards Christophe. -----Original Message----- From: Justin Bertram <jbert...@apache.org> Sent: Friday, October 25, 2024 3:14 PM To: users@activemq.apache.org Subject: Re: CVE presence in artemis-2.37.0 These first three are related to Apache Geronimo. I don't know why these would be reported for ActiveMQ Artemis. We don't ship any jars from Geronimo so these are not valid: * CVE-2008-5518 <https://github.com/advisories/GHSA-xm92-rf24-h74w> * CVE-2009-0038 <https://github.com/advisories/GHSA-c372-x57p-6x7v> * CVE-2009-0039 <https://github.com/advisories/GHSA-678x-xfp4-r92r> I can understand CVE-2024-6763 because it does impact the version of Jetty that we shipped in 2.37.0, but the CVE indicates the problem only occurs for applications using HttpURI which we do not: > The vulnerable component is the HttpURI class when used as a utility > class in an application. The Jetty usage of the class is not vulnerable. We don't ship/use logback so CVE-2023-6378 is not valid. I can also understand CVE-2024-8184 because it also impacts the version of Jetty that we shipped in 2.37.0, but the CVE indicates the problem only occurs when using ThreadLimitHandler which we do not. CVE-2024-47554 is not valid because the version of commons-io that we ship in 2.37.0 is not vulnerable. I'd say your scanning tool isn't doing a very good job. Only two of the seven issues reported were even potentially problematic. Ultimately all of these are false positives. Out of curiosity, what scanning tool are you using, and what exactly are you scanning? Did the tool provide any additional details to clarify specifically why these CVEs were reported? Justin On Fri, Oct 25, 2024 at 4:27 AM Anzile, Christophe <christophe.anz...@hpe.com.invalid> wrote: > Hi > Our vulnerability scanning tool is reporting following CVEs for > artemis > 2.37.0 > > * CVE-2008-5518<https://github.com/advisories/GHSA-xm92-rf24-h74w> > * CVE-2009-0038<https://github.com/advisories/GHSA-c372-x57p-6x7v> > * CVE-2009-0039<https://github.com/advisories/GHSA-678x-xfp4-r92r> > * CVE-2024-6763<https://github.com/advisories/GHSA-qh8g-58pp-2wxh> > * CVE-2023-6378<https://github.com/advisories/GHSA-vmq6-5m68-f53m> > * CVE-2024-8184<https://github.com/advisories/GHSA-g8m5-722r-8whq> > * CVE-2024-47554<https://github.com/advisories/GHSA-78wr-2p64-hpwj> > Are they really there ? > If yes, any plan to fix them? > Thanx. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@activemq.apache.org For additional commands, e-mail: users-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
