Source: activemq Version: 5.6.0+dfsg-1 Severity: grave Tags: security upstream fixed-upstream
Hi, the following vulnerability was published for activemq. I'm not very familiar with activemq itself, so I'm reporting this with initial severity grave, but let me know if you disagree. CVE-2015-5254[0]: Unsafe deserialization Upstream advisory is at [1]: | Description: | | JMS Object messages depends on Java Serialization for marshaling/unmashaling | of the message payload. There are a couple of places inside the broker where | deserialization can occur, like web console or stomp object message | transformation. As deserialization of untrusted data can leaed to security | flaws as demonstrated in various reports, this leaves the broker vunerable to | this attack vector. Additionally, applications that consume ObjectMessage type | of messages can be vunerable as they deserlize objects on | ObjectMessage.getObject() calls. | | Mitigation: | | Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage | message type, you need to explicitly list trusted packages. To see how to do | that, please take a look at: http://activemq.apache.org/objectmessage.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-5254 [1] http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt Regards, Salvatore
