Bug#809733: activemq: CVE-2015-5254: unsafe deserialization

Salvatore Bonaccorso carnil at debian.org
Sun Jan 3 14:33:11 UTC 2016

Source: activemq
Version: 5.6.0+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream


the following vulnerability was published for activemq. I'm not very
familiar with activemq itself, so I'm reporting this with initial
severity grave, but let me know if you disagree.

Unsafe deserialization

Upstream advisory is at [1]:
| Description:
| JMS Object messages depends on Java Serialization for marshaling/unmashaling
| of the message payload. There are a couple of places inside the broker where
| deserialization can occur, like web console or stomp object message
| transformation. As deserialization of untrusted data can leaed to security
| flaws as demonstrated in various reports, this leaves the broker vunerable to
| this attack vector. Additionally, applications that consume ObjectMessage type
| of messages can be vunerable as they deserlize objects on
| ObjectMessage.getObject() calls.
| Mitigation:
| Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage
| message type, you need to explicitly list trusted packages. To see how to do
| that, please take a look at: http://activemq.apache.org/objectmessage.html

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5254
[1] http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt


More information about the pkg-java-maintainers mailing list