Dear community,
Some vulnerabilities were detected in the following open source SW:
Apache ActiveMQ 5.18.0 before 5.18.3
Apache ActiveMQ 5.17.0 before 5.17.6
Apache ActiveMQ 5.16.0 before 5.16.7
Apache ActiveMQ before 5.15.16
Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
QID (Remote) - 730963 - Apache ActiveMQ Remote Code Execution (RCE) Vulnerability (CVE-2023-46604)
QID (Authenticated) - 995775 - Java (Maven) Security Update for org.apache.activemq:activemq-client (GHSA-crg9-44h2-xw35)
To my knowledge, none of the above SW is used inside any DataMiner module or related applications (Cassandra, Elasticsearch).
Can you confirm my understanding?
Thanks!
Hi Koen,
you are correct that DataMiner doens't use any of the components.
ElasticSearch doesn't use ActiveMQ since it's not listed on their dependencies list nor did they release a securit advisory. For Cassandra and Opensearch, there is not so much documentation on their dependencies, but since they didn't release a security advisory yet I believe they don't use it either.
Kind regards,