Описание
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat AMQ Broker 7 | Artemis | Affected | ||
| Red Hat BPM Suite 6 | hornetq | Not affected | ||
| Red Hat JBoss BRMS 5 | hornetq | Will not fix | ||
| Red Hat JBoss BRMS 6 | hornetq | Not affected | ||
| Red Hat JBoss Data Grid 6 | hornetq | Out of support scope | ||
| Red Hat JBoss Fuse 6 | hornetq | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | hornetq | Will not fix | ||
| Red Hat JBoss Operations Network 3 | hornetq | Out of support scope | ||
| Red Hat JBoss Portal 6 | hornetq | Out of support scope | ||
| Red Hat JBoss SOA Platform 5 | hornetq | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.6 Medium
CVSS3
6 Medium
CVSS2
Связанные уязвимости
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
Apache ActiveMQ Artemis RCE Via Deserialization Gadget Chain
EPSS
6.6 Medium
CVSS3
6 Medium
CVSS2