Bug 1379207 (CVE-2016-4978) - CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability
Summary: CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vul...
Status: CLOSED ERRATA
Alias: CVE-2016-4978
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160923,repor...
Keywords: Security
Depends On: 1444234 1444235 1472036
Blocks: 1393642 1474181 1520314
TreeView+ depends on / blocked
 
Reported: 2016-09-26 04:00 UTC by Hooman Broujerdi
Modified: 2019-06-11 11:13 UTC (History)
54 users (show)

(edit)
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:59:06 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1834 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.7 on RHEL 6 2017-07-31 18:59:10 UTC
Red Hat Product Errata RHSA-2017:1835 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.7 on RHEL 7 2017-07-31 18:58:11 UTC
Red Hat Product Errata RHSA-2017:1836 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.7 2017-07-31 18:47:54 UTC
Red Hat Product Errata RHSA-2017:1837 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-07-31 19:20:11 UTC
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC
Red Hat Product Errata RHSA-2018:1447 None None None 2018-05-14 20:15 UTC
Red Hat Product Errata RHSA-2018:1448 None None None 2018-05-14 20:35 UTC
Red Hat Product Errata RHSA-2018:1449 None None None 2018-05-14 20:38 UTC
Red Hat Product Errata RHSA-2018:1450 None None None 2018-05-14 20:42 UTC
Red Hat Product Errata RHSA-2018:1451 None None None 2018-05-14 20:50 UTC

Description Hooman Broujerdi 2016-09-26 04:00:25 UTC
A class implementing the Serializable interface is free to implement
the “readObject(java.io.ObjectInputStream
in)” method however it chooses. This readObject method is used during the
deserialization process, when constructing a java object from a serialized
byte stream. It is possible to implement the method in such a way that can
result in java code being executed during the deserialization of an object
of this class (gadget class).

The JMS specification outlines a getObject() method on the
javax.jms.ObjectMessage
class. The Apache Artemis implementation of this method allows
deserialization of objects, from untrusted input. There are several places
where Apache Artemis uses this getObject() method. In the JMS Core client,
the Artemis broker and the Artemis REST component. These Artemis components
may therefore be vulnerable to a remote code execution attack. Successful
exploitations of this vulnerability rely on these "gadget classes"  being
present on the Artemis classpath and the sender of the untrusted input
being authenticated and authorized to send messages to the Artemis broker.

Comment 5 Hooman Broujerdi 2017-04-21 00:33:25 UTC
Once the fix is in place for this issue, developers need to specify the whitelist and blacklist of classes that are allowed to be serialized as a query string on their broker url. For example the configuration could be "vm://hostname:port?deserializationBlackList=some.other.package&deserializationWhiteList=from.this.package". Please note the default whitelist and blacklist is configured via SystemProperty which sets to null by default and allows ever packages to be serialized. 

HorneQ users are advised to update to activemq artemis as these two products share the same codebase and eventually HornetQ will be retired.

Comment 7 errata-xmlrpc 2017-07-31 14:48:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1836 https://access.redhat.com/errata/RHSA-2017:1836

Comment 8 errata-xmlrpc 2017-07-31 15:00:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:1835 https://access.redhat.com/errata/RHSA-2017:1835

Comment 9 errata-xmlrpc 2017-07-31 15:01:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1834 https://access.redhat.com/errata/RHSA-2017:1834

Comment 10 errata-xmlrpc 2017-07-31 15:20:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:1837 https://access.redhat.com/errata/RHSA-2017:1837

Comment 11 Ravindra Patil 2017-09-12 17:03:09 UTC
This does affect JBoss Enterprise Application Platform 6

Any ETA for release of the fix for EAP 6 ?

Comment 12 Wei Chen 2017-09-29 06:20:40 UTC
I want to know if this affects Jboss EAP 6? If yes, whih version should we take for update?

Comment 13 Ravindra Patil 2017-11-10 09:16:47 UTC
Fix have been released for Jboss EAP 7.
CVE does affect EAP 6 as well

Will there be any fix released for Jboss EAP 6 for this CVE ?

Any update would be helpful. Thanks

Comment 15 errata-xmlrpc 2017-12-13 17:33:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 16 errata-xmlrpc 2017-12-13 18:20:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 17 errata-xmlrpc 2017-12-13 18:41:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 18 errata-xmlrpc 2017-12-13 18:46:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 19 errata-xmlrpc 2018-05-14 20:15:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1447 https://access.redhat.com/errata/RHSA-2018:1447

Comment 20 errata-xmlrpc 2018-05-14 20:35:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:1448 https://access.redhat.com/errata/RHSA-2018:1448

Comment 21 errata-xmlrpc 2018-05-14 20:38:30 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1449 https://access.redhat.com/errata/RHSA-2018:1449

Comment 22 errata-xmlrpc 2018-05-14 20:42:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:1450 https://access.redhat.com/errata/RHSA-2018:1450

Comment 23 errata-xmlrpc 2018-05-14 20:50:26 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:1451 https://access.redhat.com/errata/RHSA-2018:1451


Note You need to log in before you can comment on or make changes to this bug.