CVE-2016-4974
Published: 13 July 2016
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
qpid-cpp Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| precise |
Does not exist
(precise was needs-triage)
|
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| upstream |
Needs triage
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Ignored
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Ignored
(reached end-of-life)
|
Notes
| Author | Note |
|---|---|
| ebarretto | This issue affects only qpid-jms. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4974
- http://qpid.apache.org/components/jms/security.html
- http://qpid.apache.org/components/jms/security-0-x.html
- http://www.openwall.com/lists/oss-security/2016/07/02/1
- NVD
- Launchpad
- Debian