{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-12-03T00:00:00", "descriptions": [{"lang": "en", "value": "Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-03-27T19:06:06", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3524", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3524"}, {"name": "RHSA-2016:2035", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"name": "FEDORA-2015-7ca4368b0c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html"}, {"name": "[oss-security] 20151208 [ANNOUNCE] CVE-2015-5254 - Unsafe deserialization in ActiveMQ", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2015/12/08/6"}, {"name": "RHSA-2016:0489", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"}, {"name": "FEDORA-2015-eefc5a6762", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html"}, {"name": "RHSA-2016:2036", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/AMQ-6013"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-5254", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3524", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3524"}, {"name": "RHSA-2016:2035", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"name": "FEDORA-2015-7ca4368b0c", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html"}, {"name": "[oss-security] 20151208 [ANNOUNCE] CVE-2015-5254 - Unsafe deserialization in ActiveMQ", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/12/08/6"}, {"name": "RHSA-2016:0489", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"}, {"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"}, {"name": "FEDORA-2015-eefc5a6762", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html"}, {"name": "RHSA-2016:2036", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"name": "https://issues.apache.org/jira/browse/AMQ-6013", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/AMQ-6013"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"name": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt", "refsource": "CONFIRM", "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:08.759Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3524", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3524"}, {"name": "RHSA-2016:2035", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"name": "FEDORA-2015-7ca4368b0c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html"}, {"name": "[oss-security] 20151208 [ANNOUNCE] CVE-2015-5254 - Unsafe deserialization in ActiveMQ", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/12/08/6"}, {"name": "RHSA-2016:0489", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"}, {"name": "FEDORA-2015-eefc5a6762", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html"}, {"name": "RHSA-2016:2036", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/AMQ-6013"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"}, {"name": "[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5254", "datePublished": "2016-01-08T19:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:08.759Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B497EBB1-17A4-4FE8-B9FF-B2B53B18C175", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "436F59B9-507A-4B4E-A9F3-022616866151", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "F58D9E69-CBF2-4FB6-B062-ED21F83CBCCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "05D6EC30-88DC-4424-BF86-D9C0DA5E191C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "82ACD6BA-257F-49D0-8944-0991FB038533", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C43FD7A1-FC03-47BC-B6C6-02C0F1466762", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "A7A8D571-2925-4F61-B3F0-8F4A3776F6EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "47B31CD9-A3BB-427C-A631-2E8168DD1985", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "6B904806-6796-4947-BDF4-EEA5681147E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "6075BF1D-AC7C-46E3-A730-4E9A98856520", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "623530FC-12E9-480B-AFA0-C19FCFFA5D36", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "C5755A41-0DBE-4F54-A1C1-4F65DCC6ACD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "11AADFBF-AC60-4535-892C-BE90BE858172", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "AC5143E8-B392-4954-9C0D-DD39388B669F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4C0A644-8667-4ABD-8BB3-46289DCD3A93", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "607B6541-973A-4FF5-8106-A30076CA353C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "08310F87-4C45-436F-A707-A22A4ACB1587", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "4243B47C-26B9-45BE-B66A-F1534D18A265", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*", "matchCriteriaId": "26258CBF-39D0-45FD-AC6B-3D9840CB88EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*", "matchCriteriaId": "532FC7B8-31FD-459C-B757-4D17D4E6ED63", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "36710BEE-E9B8-4979-BB75-6CEF7836268B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "F15DF0DF-FDBD-4196-88DE-023CF90AA0D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "0E1A027B-EDBB-4305-BCE2-5DA862F9A3A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*", "matchCriteriaId": "1DA90EA1-64F2-44DD-86A8-E35191C79446", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*", "matchCriteriaId": "8E7D827D-8180-4605-98CB-03436F916B27", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object."}, {"lang": "es", "value": "Apache ActiveMQ 5.x en versiones anteriores a 5.13.0 no restringe las clases que pueden ser serializadas en el broker, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un objeto ObjectMessage Java Message Service (JMS) serializado manipulado."}], "id": "CVE-2015-5254", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-08T19:59:00.113", "references": [{"source": "secalert@redhat.com", "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3524"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2015/12/08/6"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "secalert@redhat.com", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/AMQ-6013"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3524"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2015/12/08/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/AMQ-6013"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:2036", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2016-10-06T00:00:00Z"}, {"advisory": "RHSA-2016:2035", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2016-10-06T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "activemq-0:5.9.0-6.redhat.611454.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "jenkins-0:1.625.3-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-enterprise-upgrade-0:2.2.9-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-broker-util-0:1.37.5.3-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-cron-0:1.25.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-haproxy-0:1.31.5.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-mysql-0:1.31.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-php-0:1.35.3.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-cartridge-python-0:1.34.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-msg-node-mcollective-0:1.30.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-node-proxy-0:1.26.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "openshift-origin-node-util-0:1.38.6.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "php-0:5.3.3-46.el6_7.1", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rhc-0:1.38.6.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-common-0:1.29.5.2-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-console-0:1.35.5.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-controller-0:1.38.5.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-frontend-apache-vhost-0:0.13.2.1-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}, {"advisory": "RHSA-2016:0489", "cpe": "cpe:/a:redhat:openshift:2.0::el6", "package": "rubygem-openshift-origin-node-0:1.38.5.3-1.el6op", "product_name": "Red Hat OpenShift Enterprise 2.2", "release_date": "2016-03-22T00:00:00Z"}], "bugzilla": {"description": "ObjectMessage: unsafe deserialization", "id": "1291292", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1291292"}, "csaw": false, "cvss": {"cvss_base_score": "6.0", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "status": "verified"}, "cwe": "CWE-502", "details": ["Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.", "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage."], "mitigation": {"lang": "en:us", "value": "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\nhttps://access.redhat.com/solutions/2190911\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\nhttp://openjdk.java.net/jeps/290"}, "name": "CVE-2015-5254", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "activemq", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Will not fix", "package_name": "hornetq", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Will not fix", "package_name": "artemis", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "activemq", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "fix_state": "Affected", "package_name": "activemq", "product_name": "Red Hat JBoss Fuse Service Works 6.0"}], "public_date": "2015-12-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5254\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5254\nhttp://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"], "statement": "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.", "threat_severity": "Moderate"}