Deserialization Vulnerability in Apache ActiveMQ Artemis Products
CVE-2016-4978

7.2HIGH

Key Information:

Vendor

Apache
Status
ActiveMQ Artemis
Vendor
CVE Published:
27 September 2016

What is CVE-2016-4978?

The getObject method of the javax.jms.ObjectMessage class in the JMS Core client, Artemis broker, and Artemis REST component in Apache ActiveMQ Artemis allows remote authenticated users, who have permission to send messages to the broker, to potentially deserialize arbitrary objects. This can lead to the execution of arbitrary code by taking advantage of gadget classes present on the Artemis classpath, posing significant security risks to environments utilizing the affected versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://www.blackhat.com/docs/us-16/materials/us-16-Kaise...
x_refsource_MISC
http://www.securityfocus.com/bid/93142
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2018:1448
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.