CVE-2015-5254

Impact:
Moderate
Public Date:
2015-12-08
CWE:
CWE-502
Bugzilla:
1291292: CVE-2015-5254 JMS ObjectMessage: unsafe deserialization
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.

Find out more about CVE-2015-5254 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.

CVSS v2 metrics

Base Score 6
Base Metrics AV:N/AC:M/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss A-MQ 6.3 RHSA-2016:2036 2016-10-06
RHOSE Client 2.0 (activemq) RHSA-2016:0489 2016-03-22
Red Hat JBoss Fuse 6.3 RHSA-2016:2035 2016-10-06

Affected Packages State

Platform Package State
Red Hat JBoss Fuse Service Works 6.0.x activemq Will not fix
Red Hat JBoss EAP 7 artemis Will not fix
Red Hat JBoss EAP 6 hornetq Will not fix

Mitigation

If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:

https://access.redhat.com/solutions/2190911

You could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:

http://openjdk.java.net/jeps/290

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.