Описание
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
Отчет
A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.
Меры по смягчению последствий
If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach: https://access.redhat.com/solutions/2190911 You could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290: http://openjdk.java.net/jeps/290
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss A-MQ 6 | activemq | Affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | hornetq | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | artemis | Will not fix | ||
| Red Hat JBoss Fuse 6 | activemq | Affected | ||
| Red Hat JBoss Fuse Service Works 6.0 | activemq | Affected | ||
| Red Hat JBoss A-MQ 6.3 | Fixed | RHSA-2016:2036 | 06.10.2016 | |
| Red Hat JBoss Fuse 6.3 | Fixed | RHSA-2016:2035 | 06.10.2016 | |
| Red Hat OpenShift Enterprise 2.2 | activemq | Fixed | RHSA-2016:0489 | 22.03.2016 |
| Red Hat OpenShift Enterprise 2.2 | jenkins | Fixed | RHSA-2016:0489 | 22.03.2016 |
| Red Hat OpenShift Enterprise 2.2 | openshift-enterprise-upgrade | Fixed | RHSA-2016:0489 | 22.03.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS2
Связанные уязвимости
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that c ...
EPSS
6 Medium
CVSS2