Bug 1320038

Summary: hornetq: Client deserialization of untrusted data in HornetQMessage and HornetQObjectMessage
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbaranow, bkearney, bmaxwell, cbillett, cdewolf, cpelland, csutherl, dandread, darran.lofthouse, fnasser, huwang, jason.greene, jawilson, jshepherd, lgao, mmccune, myarboro, ohadlevy, ppalaga, pslavice, rnetuka, rsvoboda, security-response-team, tlestach, tomckay, twalsh, vtunka
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:51:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1320756, 1320758, 1320759    
Bug Blocks: 1320039    

Description Adam Mariš 2016-03-22 08:04:52 UTC 
It was reported that HornetQ 2.4.0 and earlier is vulnerable to deserialization of untrusted data allowing possible remote code execution. Method `getBodyInternal(Class<T> c)` in class `org.hornetq.jms.client.HornetQMessage` and method `getObject()` in class `org.hornetq.jms.client.HornetQObjectMessage` are both found to be vulnerable.

Vulnerable code:

`org.hornetq.jms.client.HornetQMessage`:

* @SuppressWarnings("unchecked")
* protected <T> T getBodyInternal(Class<T> c) throws MessageFormatException
* {
* InputStream is = ((MessageInternal)message).getBodyInputStream();
* try
* {
* ObjectInputStream ois = new ObjectInputStream(is); //<-- untrusted
* return (T)ois.readObject();
* }
* catch (Exception e)
* {
* throw new MessageFormatException(e.getMessage());
* }
* }

`org.hornetq.jms.client.HornetQObjectMessage`:

* public Serializable getObject()
* throws JMSException
* {
* if ((data == null) || (data.length == 0))
* {
* return null;
* }
*
* try
* {
* ByteArrayInputStream bais = new ByteArrayInputStream(data);
* ObjectInputStream ois = new ObjectInputStreamWithClassLoader(bais);
* return (Serializable)ois.readObject(); // <-- untrusted
*
* }
* catch (Exception e)
* {
* JMSException je = new JMSException(e.getMessage());
* je.setStackTrace(e.getStackTrace());
* throw je;
* }
* }
Comment 1 Adam Mariš 2016-03-22 08:05:13 UTC 
Acknowledgments:

Name: Matthias Kaiser (Code White)
Comment 2 Jason Shepherd 2016-03-24 00:07:03 UTC 
Created hornetq tracking bugs for this issue:

Affects: fedora-all [bug 1320756]
Comment 4 Jason Shepherd 2016-03-24 00:47:34 UTC 
Tracker for EAP 7: https://issues.jboss.org/browse/JBEAP-3945
Comment 5 Jason Shepherd 2016-03-24 00:53:32 UTC 

*** This bug has been marked as a duplicate of bug 1291292 ***