CVE-2016-4974
Severity
Moderate
Affected components
AMQP 0-x JMS
Affected versions
6.0.3 and earlier
Fixed versions
6.0.4 and later
Description
Deserialization of untrusted input while using JMS ObjectMessage.
When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. In order to exploit this vulnerability, an attacker would need to be able to inject a suitably crafted AMQP message containing the malicious JMS Object Message into the AMQP message network. For this, the attacker would require valid authentication credentials and suitable authorisation.
Mitigation
Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4 or or later, and use the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented. Alternatively, users of older client releases may utilise other means such as agent-based approaches to help govern content permitted for deserialization in their application.
Credit
This issue was discovered by Matthias Kaiser of Code White (www.code-white.com).
References
Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners