7.2

CVE-2016-4978

EPSS 1.08%
Veröffentlicht 27.09.2016 15:59:01
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 23

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Activemq Artemis Version < 1.4.0

Redhat ≫ Jboss Enterprise Application Platform Version6.0.0

   Redhat ≫ Enterprise Linux Server Version5.0
   Redhat ≫ Enterprise Linux Server Version6.0
   Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version6.4.0

   Redhat ≫ Enterprise Linux Server Version5.0
   Redhat ≫ Enterprise Linux Server Version6.0
   Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.0.0

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Jboss Enterprise Application Platform Version7.1.0

Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.08%	0.771

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://access.redhat.com/errata/RHSA-2017:3454

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3455

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3456

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3458

Third Party Advisory

http://mail-archives.apache.org/mod_mbox/activemq-users/201609.mbox/%3CCAH6wpnqzeNtpykT7emtDU1-GV7AvjFP5-YroWcCC4UZyQEFvtA%40mail.gmail.com%3E

Vendor Advisory

Mailing List

http://www.securityfocus.com/bid/93142

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2017:1834

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1835

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1836

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1837

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1447

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1448

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1449

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1450

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:1451

Third Party Advisory

https://lists.apache.org/thread.html/7260bd0955c12aac5bd892039d3356ba3aa0ff4caaf2aa4fd4fe84a2%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/d4ffbc6a43a915324a394b2913ceb7d07bc352f2d08caa19df0aff02%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E

https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3E

https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf

Third Party Advisory

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2016-4978

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-4978

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-4978

EUVD