Incorrect vulnerability details ActiveMQ vs Artemis

OSSIndex / vulns

Report missing advisories and corrections on OSS Index

17 stars 12 forks source link

Incorrect vulnerability details ActiveMQ vs Artemis #307

Closed urld closed 1 year ago

urld commented 2 years ago

Vulnerability URL Provide the URL to the vulnerability. For example:

https://ossindex.sonatype.org/vulnerability/CVE-2015-3208?component-type=maven&component-name=org.apache.activemq%2Factivemq-broker&utm_source=dependency-check&utm_medium=integration&utm_content=7.1.1

Component URL Provide the URL to the component. For example:

https://ossindex.sonatype.org/component/pkg:maven/org.apache.activemq/activemq-broker

Description cpe:2.3:a:org.apache.activemq:activemq-broker:5.16.4:*:*:*:*:*:*:* should not be affected by vulnerabilities in ActiveMQ Artemis

ken-duck commented 2 years ago

Sorry for the delay. We have been working on getting appropriate internal processes defined for dealing with data issues in the new data set. We are now working on catching up on the backlog.

This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.

ken-duck commented 1 year ago

Sonatype Deep Dive research determined that the vulnerability does indeed affect the broker (through code review), and therefore our report deviates from the CVE report.

We will be upgrading OSS Index to output this "deviation notice" information soon, where we deviate from the CVE (and why).

dicer commented 1 year ago

Sonatype Deep Dive research determined that the vulnerability does indeed affect the broker

@ken-duck When you say "broker", do you (or the research team) talk about the classic or artemis broker? The ActiveMQ team seems to think this code is not even in any release: https://issues.apache.org/jira/browse/AMQ-8984 Could you please forward this link to your research team? I think it would make sense if they let the ActiveMQ know about their findings.

jbertram commented 1 year ago

@ken-duck, from what I can tell CVE-2015-3208 is invalid.

First, it's being reported against org.apache.activemq/activemq-broker (i.e. ActiveMQ "Classic") when the related code is in the code-base of ActiveMQ Artemis. These two code-bases are independent. CVEs in one don't necessary impact the other.

Second, the code in question was never released. The problematic code was added during the process of donating the HornetQ code-base to ActiveMQ, and then the problem was resolved before that code was released as ActiveMQ Artemis 1.0.

Third, the status of the referenced issue at Red Hat is CLOSED WONTFIX.

dicer commented 1 year ago

@ken-duck Any update on this?