Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-8716

AMQ 7: Timestamp on OpenWire JAR is misleading

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • AMQ 7.11.5.GA
    • openwire-protocol
    • None
    • False
    • None
    • False
    • Moderate

    Description

      A serious security defect, logged as CVE-2023-46604, was logged against OpenWire protocol handlers in 2023. The CVE was reported fixed in AMQ 7.11.4, but there is a file `activemq-openwire-legacy-5.11.0.redhat-630517.jar` dated Jan 2023. That's before the fix.

      This is confusing to customers, and/or their security scanners. We tell customers that the CVE is fixed, but a casual look at the timestamps suggests that the JARs are still affected. To see when the JARs were actually built, we have to look at the timestamps in the enclosed files, or unpack specific files in the `META-INF/` directory.

      I understand that the 'incorrect' timestamps are an artefact of the product build process, and do not reflect the actual build date. It's clear, with detailed inspection, that the changes for the CVE have been incorporated. But it's not obvious to customers.

      It seems logical to me that the timestamps on files should reflect the time when their contents were updated.

      Attachments

        Activity

          People

            dbruscin Domenico Francesco Bruscino
            rhn-support-kboone Kevin Boone
            Roman Vais Roman Vais
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: