Apache QPID deserialization security function Bypass Vulnerability (CVE-2016-4974)

Apache QPID deserialization security function Bypass Vulnerability (CVE-2016-4974)
Apache QPID deserialization security function Bypass Vulnerability (CVE-2016-4974)

Release date:
Updated on:

Affected Systems:

Apache Group Qpid AMQP 0-x JMS client <= 6.0.3
Apache Group Qpid JMS (AMQP 1.0) client <= 0.9.0

Description:

Bugtraq id: 91537
CVE (CAN) ID: CVE-2016-4974

Apache Qpid Java is the message Proxy Middleware. Write in Java and use AMQP to store, route, and forward messages.

Apache Qpid AMQP 0-x JMS Client versions earlier than 6.0.4 and JMS (AMQP 1.0) versions earlier than 0.10.0 without restriction on class usage on the class path. Remote attackers construct serialized objects through the JMS ObjectMessage, when processed by the getObject function, arbitrary objects are deserialized and arbitrary code is executed.

<* Source: Matthias Kaiser
*>

Suggestion:

Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://qpid.apache.org/components/jms/security-0-x.html
Https://issues.apache.org/jira/browse/QPIDJMS-188
Http://qpid.apache.org/components/jms/security.html

Refer:
Http://www.securitytracker.com/id/1036239
Http://www.securityfocus.com/archive/1/archive/1/538813/100/0/threaded
Http://packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.html

This article permanently updates the link address: