what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Qpid Untrusted Input Deserialization

Apache Qpid Untrusted Input Deserialization
Posted Jul 2, 2016
Authored by Matthias Kaiser

When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. Apache Qpid AMQP 0-x JMS client versions 6.0.3 and earlier and Qpid JMS (AMQP 1.0) client versions 0.9.0 and earlier are affected.

tags | advisory
advisories | CVE-2016-4974
SHA-256 | a334cb653669fa548ee6ab3108c37becded85013ee84bdec62a00650922edf5e

Apache Qpid Untrusted Input Deserialization

Change Mirror Download
[CVE-2016-4974] Apache Qpid: deserialization of untrusted input while
using JMS ObjectMessage

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Qpid AMQP 0-x JMS client 6.0.3 and earlier
Qpid JMS (AMQP 1.0) client 0.9.0 and earlier

Description:
When applications call getObject() on a consumed JMS ObjectMessage they are
subject to the behaviour of any object deserialization during the process
of constructing the body to return. Unless the application has taken outside
steps to limit the deserialization process, they can't protect against
input that might try to make undesired use of classes available on the
application classpath that might be vulnerable to exploitation.

Mitigation:
Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client
6.0.4 or Qpid JMS (AMQP 1.0) client 0.10.0 or later, and use the new
configuration options to whitelist trusted content permitted for
deserialization. When so configured, attempts to deserialize input
containing other content will be prevented. Alternatively, users of older
client releases may utilise other means such as agent-based approach to help
govern content permitted for deserialization in their application.

Credit:
This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close