CVE-2018-11775 High Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github[bot]]

CVE-2018-11775 - High Severity Vulnerability

Vulnerable Library - activemq-client-5.14.5.jar

The ActiveMQ Client implementation

path: /ddf/distribution/ddf/target/dependencies/apache-karaf-4.2.2/system/org/apache/activemq/activemq-client/5.14.5/activemq-client-5.14.5.jar

Library home page: http://activemq.apache.org/activemq-client

Dependency Hierarchy: - :x: **activemq-client-5.14.5.jar** (Vulnerable Library)

Vulnerability Details

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Publish Date: 2018-09-10

URL: CVE-2018-11775

CVSS 3 Score Details (7.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041618

Fix Resolution: The vendor has issued a fix (5.15.6). The vendor advisory is available at: http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt

---

Step up your Open Source Security Game with WhiteSource here

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.