CVE-2016-4978 Information

Description

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client (2) Artemis broker and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

http://mail-archives.apache.org/mod_mbox/activemq-users/201609.mbox/3CCAH6wpnqzeNtpykT7emtDU1-GV7AvjFP5-YroWcCC4UZyQEFvtA40mail.gmail.com3E http://www.securityfocus.com/bid/93142 https://access.redhat.com/errata/RHSA-2017:1834 https://access.redhat.com/errata/RHSA-2017:1835 https://access.redhat.com/errata/RHSA-2017:1836 https://access.redhat.com/errata/RHSA-2017:1837 https://access.redhat.com/errata/RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1451 https://lists.apache.org/thread.html/7260bd0955c12aac5bd892039d3356ba3aa0ff4caaf2aa4fd4fe84a2@3Cissues.activemq.apache.org3E https://lists.apache.org/thread.html/d4ffbc6a43a915324a394b2913ceb7d07bc352f2d08caa19df0aff02@3Cissues.activemq.apache.org3E https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.2