CVE-2015-5254
Find out more about CVE-2015-5254 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.
CVSS v2 metrics
| Base Score | 6 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:S/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | Single |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss A-MQ 6.3 | RHSA-2016:2036 | 2016-10-06 |
| RHOSE Client 2.0 (activemq) | RHSA-2016:0489 | 2016-03-22 |
| Red Hat JBoss Fuse 6.3 | RHSA-2016:2035 | 2016-10-06 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Fuse Service Works 6.0.x | activemq | Will not fix |
| Red Hat JBoss EAP 7 | artemis | Will not fix |
| Red Hat JBoss EAP 6 | hornetq | Will not fix |
Mitigation
If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:
https://access.redhat.com/solutions/2190911
You could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:
http://openjdk.java.net/jeps/290
