CVE-2015-5254
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Known Affected Software
27 configuration(s) from 3 vendor(s)
activemq
Version:
5.3.0
CPE:
cpe:2.3:a:apache:activemq:5.3.0:*:*:*:*:*:*:*
activemq
Version:
5.11.0
CPE:
cpe:2.3:a:apache:activemq:5.11.0:*:*:*:*:*:*:*
activemq
Version:
5.4.3
CPE:
cpe:2.3:a:apache:activemq:5.4.3:*:*:*:*:*:*:*
activemq
Version:
5.0.0
CPE:
cpe:2.3:a:apache:activemq:5.0.0:*:*:*:*:*:*:*
activemq
Version:
5.10.1
CPE:
cpe:2.3:a:apache:activemq:5.10.1:*:*:*:*:*:*:*
activemq
Version:
5.3.2
CPE:
cpe:2.3:a:apache:activemq:5.3.2:*:*:*:*:*:*:*
activemq
Version:
5.9.0
CPE:
cpe:2.3:a:apache:activemq:5.9.0:*:*:*:*:*:*:*
activemq
Version:
5.8.0
CPE:
cpe:2.3:a:apache:activemq:5.8.0:*:*:*:*:*:*:*
activemq
Version:
5.10.0
CPE:
cpe:2.3:a:apache:activemq:5.10.0:*:*:*:*:*:*:*
activemq
Version:
5.12.1
CPE:
cpe:2.3:a:apache:activemq:5.12.1:*:*:*:*:*:*:*
activemq
Version:
5.4.1
CPE:
cpe:2.3:a:apache:activemq:5.4.1:*:*:*:*:*:*:*
activemq
Version:
5.2.0
CPE:
cpe:2.3:a:apache:activemq:5.2.0:*:*:*:*:*:*:*
activemq
Version:
5.12.0
CPE:
cpe:2.3:a:apache:activemq:5.12.0:*:*:*:*:*:*:*
activemq
Version:
5.3.1
CPE:
cpe:2.3:a:apache:activemq:5.3.1:*:*:*:*:*:*:*
activemq
Version:
5.7.0
CPE:
cpe:2.3:a:apache:activemq:5.7.0:*:*:*:*:*:*:*
activemq
Version:
5.10.2
CPE:
cpe:2.3:a:apache:activemq:5.10.2:*:*:*:*:*:*:*
activemq
Version:
5.9.1
CPE:
cpe:2.3:a:apache:activemq:5.9.1:*:*:*:*:*:*:*
activemq
Version:
5.1.0
CPE:
cpe:2.3:a:apache:activemq:5.1.0:*:*:*:*:*:*:*
activemq
Version:
5.5.1
CPE:
cpe:2.3:a:apache:activemq:5.5.1:*:*:*:*:*:*:*
activemq
Version:
5.5.0
CPE:
cpe:2.3:a:apache:activemq:5.5.0:*:*:*:*:*:*:*
activemq
Version:
5.11.2
CPE:
cpe:2.3:a:apache:activemq:5.11.2:*:*:*:*:*:*:*
activemq
Version:
5.11.1
CPE:
cpe:2.3:a:apache:activemq:5.11.1:*:*:*:*:*:*:*
activemq
Version:
5.4.0
CPE:
cpe:2.3:a:apache:activemq:5.4.0:*:*:*:*:*:*:*
activemq
Version:
5.6.0
CPE:
cpe:2.3:a:apache:activemq:5.6.0:*:*:*:*:*:*:*
fedora
Version:
22
CPE:
cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
fedora
Version:
23
CPE:
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
openshift
Version:
2.0
CPE:
cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*
This vulnerability affects 27 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txtsecalert@redhat.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.htmlsecalert@redhat.com
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.htmlsecalert@redhat.com
-
http://rhn.redhat.com/errata/RHSA-2016-0489.htmlsecalert@redhat.com
-
http://rhn.redhat.com/errata/RHSA-2016-2035.htmlsecalert@redhat.com
-
http://rhn.redhat.com/errata/RHSA-2016-2036.htmlsecalert@redhat.com
-
http://www.debian.org/security/2016/dsa-3524secalert@redhat.com
-
http://www.openwall.com/lists/oss-security/2015/12/08/6secalert@redhat.com
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlsecalert@redhat.com
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlsecalert@redhat.com
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680secalert@redhat.com
-
https://issues.apache.org/jira/browse/AMQ-6013secalert@redhat.com Vendor Advisory
-
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Esecalert@redhat.com
-
http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txtaf854a3a-2127-422b-91ae-364da2661108
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://rhn.redhat.com/errata/RHSA-2016-0489.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://rhn.redhat.com/errata/RHSA-2016-2035.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://rhn.redhat.com/errata/RHSA-2016-2036.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://www.debian.org/security/2016/dsa-3524af854a3a-2127-422b-91ae-364da2661108
-
http://www.openwall.com/lists/oss-security/2015/12/08/6af854a3a-2127-422b-91ae-364da2661108
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlaf854a3a-2127-422b-91ae-364da2661108
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680af854a3a-2127-422b-91ae-364da2661108
-
https://issues.apache.org/jira/browse/AMQ-6013af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Eaf854a3a-2127-422b-91ae-364da2661108
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-20
Top 25 #14
Improper Input Validation
- Description
- The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- January 08, 2016
