Date: Sat, 2 Jul 2016 02:15:24 +0100 From: Robbie Gemmell <robbie@...che.org> To: "dev@...d.apache.org" <dev@...d.apache.org>, "users@...d.apache.org" <users@...d.apache.org>, announce@...che.org, "security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: [SECURITY] CVE-2016-4974: Apache Qpid: deserialization of untrusted input while using JMS ObjectMessage [CVE-2016-4974] Apache Qpid: deserialization of untrusted input while using JMS ObjectMessage Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Qpid AMQP 0-x JMS client 6.0.3 and earlier Qpid JMS (AMQP 1.0) client 0.9.0 and earlier Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. Mitigation: Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4 or Qpid JMS (AMQP 1.0) client 0.10.0 or later, and use the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented. Alternatively, users of older client releases may utilise other means such as agent-based approach to help govern content permitted for deserialization in their application. Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ