Описание
Improper Input Validation in Apache ActiveMQ
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-5254
- https://github.com/apache/activemq/commit/6f03921b31d9fefeddb0f4fa63150ed1f94a14b
- https://github.com/apache/activemq/commit/73a0caf758f9e4916783a205c7e422b4db27905
- https://github.com/apache/activemq/commit/7eb9b218b2705cf9273e30ee2da026e43b6dd4e
- https://github.com/apache/activemq/commit/e7a4b53f799685e337972dd36ba0253c04bcc01
- https://github.com/apache/activemq
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680
- https://issues.apache.org/jira/browse/AMQ-6013
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html
- http://rhn.redhat.com/errata/RHSA-2016-0489.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.debian.org/security/2016/dsa-3524
- http://www.openwall.com/lists/oss-security/2015/12/08/6
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Пакеты
org.apache.activemq:activemq-client
>= 5.0.0, < 5.11.3
5.11.3
org.apache.activemq:activemq-client
>= 5.12.0, < 5.12.2
5.12.2
Связанные уязвимости
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that c ...