Red Hat Bugzilla – Bug 1379207
CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability
Last modified: 2018-10-19 17:37:38 EDT
A class implementing the Serializable interface is free to implement the “readObject(java.io.ObjectInputStream in)” method however it chooses. This readObject method is used during the deserialization process, when constructing a java object from a serialized byte stream. It is possible to implement the method in such a way that can result in java code being executed during the deserialization of an object of this class (gadget class). The JMS specification outlines a getObject() method on the javax.jms.ObjectMessage class. The Apache Artemis implementation of this method allows deserialization of objects, from untrusted input. There are several places where Apache Artemis uses this getObject() method. In the JMS Core client, the Artemis broker and the Artemis REST component. These Artemis components may therefore be vulnerable to a remote code execution attack. Successful exploitations of this vulnerability rely on these "gadget classes" being present on the Artemis classpath and the sender of the untrusted input being authenticated and authorized to send messages to the Artemis broker.
Once the fix is in place for this issue, developers need to specify the whitelist and blacklist of classes that are allowed to be serialized as a query string on their broker url. For example the configuration could be "vm://hostname:port?deserializationBlackList=some.other.package&deserializationWhiteList=from.this.package". Please note the default whitelist and blacklist is configured via SystemProperty which sets to null by default and allows ever packages to be serialized. HorneQ users are advised to update to activemq artemis as these two products share the same codebase and eventually HornetQ will be retired.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1836 https://access.redhat.com/errata/RHSA-2017:1836
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:1835 https://access.redhat.com/errata/RHSA-2017:1835
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1834 https://access.redhat.com/errata/RHSA-2017:1834
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1837 https://access.redhat.com/errata/RHSA-2017:1837
This does affect JBoss Enterprise Application Platform 6 Any ETA for release of the fix for EAP 6 ?
I want to know if this affects Jboss EAP 6? If yes, whih version should we take for update?
Fix have been released for Jboss EAP 7. CVE does affect EAP 6 as well Will there be any fix released for Jboss EAP 6 for this CVE ? Any update would be helpful. Thanks
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451