HiveMQ Libraries Vulnerable in Docker Image Vulnerabilities

Hi Team,

We are using hivemq4 image and tag with dns-latest. But while doing vulnerabilities scan on docker hivemq4 image getting below vulnerable packages.

com.fasterxml.jackson.core:jackson-databind critical SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676 AV:N https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
com.fasterxml.jackson.core:jackson-databind critical SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943 AV:N https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
com.fasterxml.jackson.core:jackson-databind critical SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943 AV:N https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
com.fasterxml.jackson.core:jackson-databind critical SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500 AV:N https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
io.netty:netty-handler high SNYK-JAVA-IONETTY-30433 AV:N https://snyk.io/vuln/SNYK-JAVA-IONETTY-30433?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
io.netty:netty-handler high SNYK-JAVA-IONETTY-30433 AV:N https://snyk.io/vuln/SNYK-JAVA-IONETTY-30433?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
io.netty:netty-handler high SNYK-JAVA-IONETTY-30433 AV:N https://snyk.io/vuln/SNYK-JAVA-IONETTY-30433?utm_campaign=smartcheck-vulndb&utm_medium=partner&utm_source=trendmicro
jackson-databind medium CVE-2018-1000873 AV:N https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873
jackson-databind medium CVE-2018-12022 AV:N https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

There is recommendation in link that upgrade libraries of Java

So could you please help us to how to get it resolve or upgrade on higher version?

Hey rp85,

thank you for your report. We’re always keen on insights that help us to continue making HiveMQ a better and more secure product! Our developers reviewed the mentioned vulnerabilities and I can confirm we still consider HiveMQ 4 as secure in production environments.

Two notes:

  • Jackson is used for control center functionality and currently has no known route of exploitation within our well defined use
  • We consider the netty results as false positives (stemming from tcnative)

Nonetheless we will of course incorporate updates to our used libraries with the next HiveMQ release.
I hope this resolves any uncertainty on your end.

Regards,
Finn from the HiveMQ team

1 Like