FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

activemq -- Unsafe deserialization

Affected packages
activemq < 5.13.0

Details

VuXML ID a258604d-f2aa-11e5-b4a9-ac220bdcec59
Discovery 2016-01-08
Entry 2016-03-25

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports:

JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can lead to security flaws as demonstrated in various reports, this leaves the broker vulnerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls.

References

CVE Name CVE-2015-5254
URL http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt