Repository: qpid-site Updated Branches: refs/heads/asf-site 18ab1b176 -> d6ae1f10e
NO-JIRA: Add more detail to CVE-2016-4974 description Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/d6ae1f10 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/d6ae1f10 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/d6ae1f10 Branch: refs/heads/asf-site Commit: d6ae1f10ee549b575aa36ee5715c151e0d24b976 Parents: 18ab1b1 Author: Lorenz Quack <[email protected]> Authored: Wed Aug 3 14:54:21 2016 +0100 Committer: Lorenz Quack <[email protected]> Committed: Wed Aug 3 14:54:21 2016 +0100 ---------------------------------------------------------------------- content/components/jms/security-0-x.html | 9 +++++++-- content/components/jms/security.html | 9 +++++++-- input/components/jms/security-0-x.md | 9 +++++++-- input/components/jms/security.md | 9 +++++++-- 4 files changed, 28 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d6ae1f10/content/components/jms/security-0-x.html ---------------------------------------------------------------------- diff --git a/content/components/jms/security-0-x.html b/content/components/jms/security-0-x.html index dbe7698..52ea2f0 100644 --- a/content/components/jms/security-0-x.html +++ b/content/components/jms/security-0-x.html @@ -137,10 +137,15 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <div style="display:none;" id="CVE-2016-4974_details"> <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside + of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation.</p> + application classpath that might be vulnerable to exploitation. + In order to exploit this vulnerability, an attacker would need + to be able to inject a suitably crafted AMQP message containing the + malicious JMS Object Message into the AMQP message network. For this, + the attacker would require valid authentication credentials and + suitable authorisation.</p> <p> Mitigation: Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4 or or later, and use the new http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d6ae1f10/content/components/jms/security.html ---------------------------------------------------------------------- diff --git a/content/components/jms/security.html b/content/components/jms/security.html index 9b69a77..86986f1 100644 --- a/content/components/jms/security.html +++ b/content/components/jms/security.html @@ -137,10 +137,15 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <div style="display:none;" id="CVE-2016-4974_details"> <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside + of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation.</p> + application classpath that might be vulnerable to exploitation. + In order to exploit this vulnerability, an attacker would need + to be able to inject a suitably crafted AMQP message containing the + malicious JMS Object Message into the AMQP message network. For this, + the attacker would require valid authentication credentials and + suitable authorisation.</p> <p> Mitigation: Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or later, and use the new http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d6ae1f10/input/components/jms/security-0-x.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security-0-x.md b/input/components/jms/security-0-x.md index ed6417a..cc491f5 100644 --- a/input/components/jms/security-0-x.md +++ b/input/components/jms/security-0-x.md @@ -40,10 +40,15 @@ <div style="display:none;" id="CVE-2016-4974_details"> <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside + of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation.</p> + application classpath that might be vulnerable to exploitation. + In order to exploit this vulnerability, an attacker would need + to be able to inject a suitably crafted AMQP message containing the + malicious JMS Object Message into the AMQP message network. For this, + the attacker would require valid authentication credentials and + suitable authorisation.</p> <p> Mitigation: Users using ObjectMessage can upgrade to Qpid AMQP 0-x JMS client 6.0.4 or or later, and use the new http://git-wip-us.apache.org/repos/asf/qpid-site/blob/d6ae1f10/input/components/jms/security.md ---------------------------------------------------------------------- diff --git a/input/components/jms/security.md b/input/components/jms/security.md index bc0c4b6..d201737 100644 --- a/input/components/jms/security.md +++ b/input/components/jms/security.md @@ -40,10 +40,15 @@ <div style="display:none;" id="CVE-2016-4974_details"> <p>Description: When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process - of constructing the body to return. Unless the application has taken outside + of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the - application classpath that might be vulnerable to exploitation.</p> + application classpath that might be vulnerable to exploitation. + In order to exploit this vulnerability, an attacker would need + to be able to inject a suitably crafted AMQP message containing the + malicious JMS Object Message into the AMQP message network. For this, + the attacker would require valid authentication credentials and + suitable authorisation.</p> <p> Mitigation: Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or later, and use the new --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
