Incorrect vulnerability details ActiveMQ vs Artemis

Question

Incorrect vulnerability details ActiveMQ vs Artemis

Closed this issue 2 years ago · 5 comments

Vulnerability URL
Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/CVE-2015-3208?component-type=maven&component-name=org.apache.activemq%2Factivemq-broker&utm_source=dependency-check&utm_medium=integration&utm_content=7.1.1

Component URL
Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:maven/org.apache.activemq/activemq-broker

Description
cpe:2.3:a:org.apache.activemq:activemq-broker:5.16.4:*:*:*:*:*:*:* should not be affected by vulnerabilities in ActiveMQ Artemis

Answer 1 · 2022-07-12T17:53:31.000Z

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

Answer 2 · 2022-08-23T17:19:43.000Z

Sonatype Deep Dive research determined that the vulnerability does indeed affect the broker (through code review), and therefore our report deviates from the CVE report.

We will be upgrading OSS Index to output this "deviation notice" information soon, where we deviate from the CVE (and why).

Answer 3 · 2022-09-07T14:15:58.000Z

Sonatype Deep Dive research determined that the vulnerability does indeed affect the broker

@ken-duck When you say "broker", do you (or the research team) talk about the classic or artemis broker?
The ActiveMQ team seems to think this code is not even in any release: https://issues.apache.org/jira/browse/AMQ-8984
Could you please forward this link to your research team? I think it would make sense if they let the ActiveMQ know about their findings.

Answer 4 · 2022-09-07T15:16:36.000Z

@ken-duck, from what I can tell CVE-2015-3208 is invalid.

First, it's being reported against org.apache.activemq/activemq-broker (i.e. ActiveMQ "Classic") when the related code is in the code-base of ActiveMQ Artemis. These two code-bases are independent. CVEs in one don't necessary impact the other.

Second, the code in question was never released. The problematic code was added during the process of donating the HornetQ code-base to ActiveMQ, and then the problem was resolved before that code was released as ActiveMQ Artemis 1.0.

Third, the status of the referenced issue at Red Hat is CLOSED WONTFIX.

Answer 5 · 2022-09-22T09:09:10.000Z

@ken-duck Any update on this?