CVE-2016-4978

Impact:
Moderate
Public Date:
2016-09-23
Bugzilla:
1379207: CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.

Find out more about CVE-2016-4978 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 6
Base Metrics AV:N/AC:M/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 6.6
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Changed
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (hornetq) RHSA-2018:1449 2018-05-14
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:3458 2017-12-13
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2018:1451 2018-05-14
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2017:3454 2017-12-13
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (hornetq) RHSA-2018:1450 2018-05-14
Red Hat JBoss EAP 7 RHSA-2017:1836 2017-07-31
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2017:1835 2017-07-31
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:1837 2017-07-31
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:3458 2017-12-13
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2017:1834 2017-07-31
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2017:3455 2017-12-13
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:1837 2017-07-31
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:1447 2018-05-14
Red Hat JBoss EAP 7 RHSA-2017:3456 2017-12-13
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (hornetq) RHSA-2018:1448 2018-05-14

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 hornetq Will not fix
Red Hat Single Sign-On 7 hornetq Will not fix
Red Hat Satellite 6 hornetq Will not fix
Red Hat JBoss Portal Platform 6 hornetq Will not fix
Red Hat JBoss Operations Network 3 hornetq Will not fix
Red Hat JBoss Fuse Service Works 6 hornetq Will not fix
Red Hat JBoss Fuse 6 hornetq Will not fix
Red Hat JBoss Enterprise SOA Platform 5 hornetq Will not fix
Red Hat JBoss Data Grid 6 hornetq Will not fix
Red Hat JBoss BRMS 6 hornetq Not affected
Red Hat JBoss BRMS 5 hornetq Will not fix
Red Hat JBoss BPMS 6 hornetq Not affected
Red Hat JBoss A-MQ 7 Artemis Will not fix
Last Modified