It was reported that HornetQ 2.4.0 and earlier is vulnerable to deserialization of untrusted data allowing possible remote code execution. Method `getBodyInternal(Class<T> c)` in class `org.hornetq.jms.client.HornetQMessage` and method `getObject()` in class `org.hornetq.jms.client.HornetQObjectMessage` are both found to be vulnerable. Vulnerable code: `org.hornetq.jms.client.HornetQMessage`: * @SuppressWarnings("unchecked") * protected <T> T getBodyInternal(Class<T> c) throws MessageFormatException * { * InputStream is = ((MessageInternal)message).getBodyInputStream(); * try * { * ObjectInputStream ois = new ObjectInputStream(is); //<-- untrusted * return (T)ois.readObject(); * } * catch (Exception e) * { * throw new MessageFormatException(e.getMessage()); * } * } `org.hornetq.jms.client.HornetQObjectMessage`: * public Serializable getObject() * throws JMSException * { * if ((data == null) || (data.length == 0)) * { * return null; * } * * try * { * ByteArrayInputStream bais = new ByteArrayInputStream(data); * ObjectInputStream ois = new ObjectInputStreamWithClassLoader(bais); * return (Serializable)ois.readObject(); // <-- untrusted * * } * catch (Exception e) * { * JMSException je = new JMSException(e.getMessage()); * je.setStackTrace(e.getStackTrace()); * throw je; * } * }
Acknowledgments: Name: Matthias Kaiser (Code White)
Created hornetq tracking bugs for this issue: Affects: fedora-all [bug 1320756]
Tracker for EAP 7: https://issues.jboss.org/browse/JBEAP-3945
*** This bug has been marked as a duplicate of bug 1291292 ***