Vulnerability Description
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Openshift | 2.0 |
| Apache | Activemq | 5.0.0 |
| Fedoraproject | Fedora | 22 |
Related Weaknesses (CWE)
References
- http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.t
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.h
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.h
- http://rhn.redhat.com/errata/RHSA-2016-0489.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.debian.org/security/2016/dsa-3524
- http://www.openwall.com/lists/oss-security/2015/12/08/6
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c
- https://issues.apache.org/jira/browse/AMQ-6013Vendor Advisory
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65
- http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.t
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.h
FAQ
What is CVE-2015-5254?
CVE-2015-5254 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Serv...
How severe is CVE-2015-5254?
CVE-2015-5254 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-5254?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openshift, Apache Activemq, Fedoraproject Fedora.