You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 27, 2024. It is now read-only.
CVE-2015-5254 - Unsafe deserialization in ActiveMQ
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache ActiveMQ 5.0.0 - 5.12.1
Description:
JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can leaed to security flaws as demonstrated in various reports, this leaves the broker vunerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vunerable as they deserlize objects on ObjectMessage.getObject() calls.
Mitigation:
Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage message type, you need to explicitly list trusted packages. To see how to do that, please take a look at: http://activemq.apache.org/objectmessage.html
Credit:
This issue was discovered by:
* Alvaro Muñoz - @pwntester
* Matthias Kaiser - @matthias_kaiser
* Christian Schneider - @cschneider4711
Special thanks to Matthias Kaiser for providing the detailed analysis of the vunerability.