Bug 1379207 (CVE-2016-4978)

Summary: CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability
Product: [Other] Security Response Reporter: Hooman Broujerdi <hghasemb>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, bbaranow, bcourt, bkearney, bmaxwell, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, erismith, etirelli, fnasser, gvarsami, jason.greene, jawilson, jboss-set, jcoleman, jmatthew, jshepherd, kconner, kverlaen, ldimaggi, lgao, lpetrovi, mbaluch, mmccune, mstead, mwinkler, myarboro, nwallace, ohadlevy, pgier, psakar, pslavice, ravpatil, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, spinder, tcunning, theute, tkirby, tlestach, tomckay, tsanders, twalsh, vtunka, wei.chen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:59:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1444234, 1444235, 1472036    
Bug Blocks: 1393642, 1474181, 1520314    

Description Hooman Broujerdi 2016-09-26 04:00:25 UTC 
A class implementing the Serializable interface is free to implement
the “readObject(java.io.ObjectInputStream
in)” method however it chooses. This readObject method is used during the
deserialization process, when constructing a java object from a serialized
byte stream. It is possible to implement the method in such a way that can
result in java code being executed during the deserialization of an object
of this class (gadget class).

The JMS specification outlines a getObject() method on the
javax.jms.ObjectMessage
class. The Apache Artemis implementation of this method allows
deserialization of objects, from untrusted input. There are several places
where Apache Artemis uses this getObject() method. In the JMS Core client,
the Artemis broker and the Artemis REST component. These Artemis components
may therefore be vulnerable to a remote code execution attack. Successful
exploitations of this vulnerability rely on these "gadget classes"  being
present on the Artemis classpath and the sender of the untrusted input
being authenticated and authorized to send messages to the Artemis broker.
Comment 5 Hooman Broujerdi 2017-04-21 00:33:25 UTC 
Once the fix is in place for this issue, developers need to specify the whitelist and blacklist of classes that are allowed to be serialized as a query string on their broker url. For example the configuration could be "vm://hostname:port?deserializationBlackList=some.other.package&deserializationWhiteList=from.this.package". Please note the default whitelist and blacklist is configured via SystemProperty which sets to null by default and allows ever packages to be serialized. 

HorneQ users are advised to update to activemq artemis as these two products share the same codebase and eventually HornetQ will be retired.
Comment 7 errata-xmlrpc 2017-07-31 14:48:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1836 https://access.redhat.com/errata/RHSA-2017:1836
Comment 8 errata-xmlrpc 2017-07-31 15:00:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:1835 https://access.redhat.com/errata/RHSA-2017:1835
Comment 9 errata-xmlrpc 2017-07-31 15:01:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1834 https://access.redhat.com/errata/RHSA-2017:1834
Comment 10 errata-xmlrpc 2017-07-31 15:20:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1837 https://access.redhat.com/errata/RHSA-2017:1837
Comment 11 Ravindra Patil 2017-09-12 17:03:09 UTC 
This does affect JBoss Enterprise Application Platform 6

Any ETA for release of the fix for EAP 6 ?
Comment 12 Wei Chen 2017-09-29 06:20:40 UTC 
I want to know if this affects Jboss EAP 6? If yes, whih version should we take for update?
Comment 13 Ravindra Patil 2017-11-10 09:16:47 UTC 
Fix have been released for Jboss EAP 7.
CVE does affect EAP 6 as well

Will there be any fix released for Jboss EAP 6 for this CVE ?

Any update would be helpful. Thanks
Comment 15 errata-xmlrpc 2017-12-13 17:33:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
Comment 16 errata-xmlrpc 2017-12-13 18:20:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
Comment 17 errata-xmlrpc 2017-12-13 18:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
Comment 18 errata-xmlrpc 2017-12-13 18:46:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
Comment 19 errata-xmlrpc 2018-05-14 20:15:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
Comment 20 errata-xmlrpc 2018-05-14 20:35:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
Comment 21 errata-xmlrpc 2018-05-14 20:38:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
Comment 22 errata-xmlrpc 2018-05-14 20:42:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
Comment 23 errata-xmlrpc 2018-05-14 20:50:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451