[CVE-2016-4974] Apache Qpid: deserialization of untrusted input while using JMS ObjectMessage Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Qpid AMQP 0-x JMS client 6.0.3 and earlier Qpid JMS (AMQP 1.0) client 0.9.0 and earlier Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. Mitigation: Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4 or Qpid JMS (AMQP 1.0) client 0.10.0 or later, and use the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented. Alternatively, users of older client releases may utilise other means such as agent-based approach to help govern content permitted for deserialization in their application. Credit: This issue was discovered by Matthias Kaiser of Code White (www.code-white.com)