Bug 1379207 (CVE-2016-4978)
Summary: | CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Hooman Broujerdi <hghasemb> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, bbaranow, bcourt, bkearney, bmaxwell, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, erismith, etirelli, fnasser, gvarsami, jason.greene, jawilson, jboss-set, jcoleman, jmatthew, jshepherd, kconner, kverlaen, ldimaggi, lgao, lpetrovi, mbaluch, mmccune, mstead, mwinkler, myarboro, nwallace, ohadlevy, pgier, psakar, pslavice, ravpatil, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, spinder, tcunning, theute, tkirby, tlestach, tomckay, tsanders, twalsh, vtunka, wei.chen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:59:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1444234, 1444235, 1472036 | ||
Bug Blocks: | 1393642, 1474181, 1520314 |
Description
Hooman Broujerdi
2016-09-26 04:00:25 UTC
Once the fix is in place for this issue, developers need to specify the whitelist and blacklist of classes that are allowed to be serialized as a query string on their broker url. For example the configuration could be "vm://hostname:port?deserializationBlackList=some.other.package&deserializationWhiteList=from.this.package". Please note the default whitelist and blacklist is configured via SystemProperty which sets to null by default and allows ever packages to be serialized. HorneQ users are advised to update to activemq artemis as these two products share the same codebase and eventually HornetQ will be retired. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1836 https://access.redhat.com/errata/RHSA-2017:1836 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:1835 https://access.redhat.com/errata/RHSA-2017:1835 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1834 https://access.redhat.com/errata/RHSA-2017:1834 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1837 https://access.redhat.com/errata/RHSA-2017:1837 This does affect JBoss Enterprise Application Platform 6 Any ETA for release of the fix for EAP 6 ? I want to know if this affects Jboss EAP 6? If yes, whih version should we take for update? Fix have been released for Jboss EAP 7. CVE does affect EAP 6 as well Will there be any fix released for Jboss EAP 6 for this CVE ? Any update would be helpful. Thanks This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451 |