Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

com.rabbitmq:amqp-client vulnerability found in com.ibm.streamsx.messaging/pom.xml #348

Closed
schubon opened this issue Oct 23, 2018 · 1 comment
Assignees

Comments

@schubon
Copy link
Member

schubon commented Oct 23, 2018

Remediation:

Upgrade com.rabbitmq:amqp-client to version 4.8.0 or later. For example:

<dependency>
    <groupId>com.rabbitmq</groupId>
    <artifactId>amqp-client</artifactId>
    <version>[4.8.0,)</version>
</dependency>

Details:

CVE-2018-11087 More information
moderate severity
Vulnerable versions: < 4.8.0
Patched version: 4.8.0

Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.

@schubon schubon self-assigned this Oct 23, 2018
schubon pushed a commit that referenced this issue Oct 23, 2018
Accompanied by some code adaptations because of removed and added
overrides.
@schubon
Copy link
Member Author

schubon commented Oct 24, 2018

Contained in v5.3.11

@schubon schubon closed this as completed Oct 24, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant