Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B98E3200B8D for ; Fri, 23 Sep 2016 13:14:21 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id B80A2160ADA; Fri, 23 Sep 2016 11:14:21 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0A553160ACA for ; Fri, 23 Sep 2016 13:14:20 +0200 (CEST) Received: (qmail 88056 invoked by uid 500); 23 Sep 2016 11:14:19 -0000 Mailing-List: contact dev-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list dev@activemq.apache.org Received: (qmail 87907 invoked by uid 99); 23 Sep 2016 11:14:19 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Sep 2016 11:14:19 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 1B2DEC0AC8 for ; Fri, 23 Sep 2016 11:14:19 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 4.395 X-Spam-Level: **** X-Spam-Status: No, score=4.395 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SORBS_SPAM=2.397, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id w8mS5A3l1FOV for ; Fri, 23 Sep 2016 11:14:16 +0000 (UTC) Received: from mail-io0-f173.google.com (mail-io0-f173.google.com [209.85.223.173]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 2F25360D34 for ; Fri, 23 Sep 2016 11:14:16 +0000 (UTC) Received: by mail-io0-f173.google.com with SMTP id e66so24928145iod.1 for ; Fri, 23 Sep 2016 04:14:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=EjcuPRyLKtyfesIkqpnNeFBF9/c8agBhsJj5D74M/X8=; b=Y8RSVVs4AiBgvRC7Q2SZrO8FnbxgrDZ+CYZqZGcBK5yMwbLAzeMyw6r0vOdj5BcdmL CxiczmOG98ud08+PslodCyZB8XGQreo8loCv0uuhRYCj4dXlr+essK1Gjj5g5SfAuGSL AKeJxomE1YtBhUbz/dCVax5aBugLbIZj4J/3kHxuKGUWR6Sgqg4udkvzvNUtGFnWtJ8O A/fyFIrVcSmqfSeFjEOQdUv5NCWaIrBI+lSSgJoABGVagAERBw0gdXv7PxbyjF3BEsbY UUxnxD/GxOAklz+58IKxNCoPp9JMg6ZI6k2UyDROIp8/b6FHOTZ8tY0osVbcRcGY9A0c tiyw== X-Gm-Message-State: AE9vXwOnRU2ZWzukxTWpNIoEF/rMXdZtrrP+0irX+AbBaKpP85moFoQpOijtcPIoE1wEFkyXicKroIrHypSzo61t X-Received: by 10.107.57.139 with SMTP id g133mr9220520ioa.176.1474629255046; Fri, 23 Sep 2016 04:14:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.128.144 with HTTP; Fri, 23 Sep 2016 04:14:14 -0700 (PDT) From: Martyn Taylor Date: Fri, 23 Sep 2016 12:14:14 +0100 Message-ID: Subject: [CVE-2016-4978] Apache ActiveMQ Artemis: Deserialization of untrusted input vunerability To: security@apache.org, Matthias Kaiser , oss-security@lists.openwall.com, bugtraq@securityfocus.com, dev@activemq.apache.org, users@activemq.apache.org Content-Type: multipart/alternative; boundary=001a114ac88aec4276053d2ae00b archived-at: Fri, 23 Sep 2016 11:14:21 -0000 --001a114ac88aec4276053d2ae00b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Artemis 1.0.0, 1.1.0, 1.2.0, 1.3.0 A class implementing the Serializable interface is free to implement the =E2=80=9CreadObject(java.io.ObjectInputStream in)=E2=80=9D method however it chooses. This readObject method is used duri= ng the deserialization process, when constructing a java object from a serialized byte stream. It is possible to implement the method in such a way that can result in java code being executed during the deserialization of an object of this class (gadget class). The JMS specification outlines a getObject() method on the javax.jms.ObjectMessage class. The Apache Artemis implementation of this method allows deserialization of objects, from untrusted input. There are several places where Apache Artemis uses this getObject() method. In the JMS Core client, the Artemis broker and the Artemis REST component. These Artemis components may therefore be vulnerable to a remote code execution attack. Successful exploitations of this vulnerability rely on these "gadget classes" being present on the Artemis classpath and the sender of the untrusted input being authenticated and authorized to send messages to the Artemis broker. The code execution exploit may happen under the following circumstances: =C2=B7 In the JMS client when consuming an object message. =C2=B7 In the REST module when a REST client requests to consume a message = that was originally sent as an object message (cross protocol). =C2=B7 In the Artemis management layer, when a client sends an object messa= ge to a management address. =C2=B7 On the broker when an AMQP client consumes a message that was origin= ally sent as an object message (cross protocol). For this exploit to occur the sender of the compromised message needs to be authenticated and authorized in order to send the message to the Artemis broker and affected classes (gadget classes) present on the Artemis class path. Mitigation: To secure the Apache Artemis broker and management layer: ** Upgrade to 1.4.0. For the Apache Artemis REST module and Apache Artemis JMS client. ** Upgrade to Apache Artemis 1.4.0 ** Configure the appropriate deserialization white/black lists as outlined in the Artemis documentation. Credit: This issue was discovered by Matthias Kaiser of Code White ( www.code-white.com) --001a114ac88aec4276053d2ae00b--