Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 23 Sep 2016 12:14:14 +0100
From: Martyn Taylor <mtaylor@...hat.com>
To: security@...che.org, Matthias Kaiser <matthias.kaiser@...e-white.com>, 
	oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, 
	dev@...ivemq.apache.org, users@...ivemq.apache.org
Subject: [CVE-2016-4978] Apache ActiveMQ Artemis: Deserialization of untrusted
 input vunerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Artemis 1.0.0, 1.1.0, 1.2.0, 1.3.0

A class implementing the Serializable interface is free to implement
the “readObject(java.io.ObjectInputStream
in)” method however it chooses. This readObject method is used during the
deserialization process, when constructing a java object from a serialized
byte stream. It is possible to implement the method in such a way that can
result in java code being executed during the deserialization of an object
of this class (gadget class).

The JMS specification outlines a getObject() method on the
javax.jms.ObjectMessage
class. The Apache Artemis implementation of this method allows
deserialization of objects, from untrusted input. There are several places
where Apache Artemis uses this getObject() method. In the JMS Core client,
the Artemis broker and the Artemis REST component. These Artemis components
may therefore be vulnerable to a remote code execution attack. Successful
exploitations of this vulnerability rely on these "gadget classes"  being
present on the Artemis classpath and the sender of the untrusted input
being authenticated and authorized to send messages to the Artemis broker.

The code execution exploit may happen under the following circumstances:

· In the JMS client when consuming an object message.

· In the REST module when a REST client requests to consume a message that
was originally sent as an object message (cross protocol).

· In the Artemis management layer, when a client sends an object message to
a management address.

· On the broker when an AMQP client consumes a message that was originally
sent as an object message (cross protocol).

For this exploit to occur the sender of the compromised message needs to be
authenticated and authorized in order to send the message to the Artemis
broker and affected classes (gadget classes) present on the Artemis class
path.

Mitigation:
To secure the Apache Artemis broker and management layer:
** Upgrade to 1.4.0.

For the Apache Artemis REST module and Apache Artemis JMS client.
** Upgrade to Apache Artemis 1.4.0
** Configure the appropriate deserialization white/black lists as outlined
in the Artemis documentation.

Credit: This issue was discovered by Matthias Kaiser of Code White (
www.code-white.com)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.