Bug#809733: activemq: CVE-2015-5254: unsafe deserialization
carnil at debian.org
Sun Jan 3 14:33:11 UTC 2016
Tags: security upstream fixed-upstream
the following vulnerability was published for activemq. I'm not very
familiar with activemq itself, so I'm reporting this with initial
severity grave, but let me know if you disagree.
Upstream advisory is at :
| JMS Object messages depends on Java Serialization for marshaling/unmashaling
| of the message payload. There are a couple of places inside the broker where
| deserialization can occur, like web console or stomp object message
| transformation. As deserialization of untrusted data can leaed to security
| flaws as demonstrated in various reports, this leaves the broker vunerable to
| this attack vector. Additionally, applications that consume ObjectMessage type
| of messages can be vunerable as they deserlize objects on
| ObjectMessage.getObject() calls.
| Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage
| message type, you need to explicitly list trusted packages. To see how to do
| that, please take a look at: http://activemq.apache.org/objectmessage.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
More information about the pkg-java-maintainers