Dear Madam or Sir,
I would like to request an update to the vulnerability
description of CVE-2016-4974 [1]. The current description reads:
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
1.0) before 0.10.0 does not restrict the use of classes
available on the classpath, which might allow remote
attackers to deserialize arbitrary objects and execute
arbitrary code by leveraging a crafted serialized object in a
JMS ObjectMessage that is handled by the getObject function.
However, for this vulnerability to be exploited all of the
following conditions need to be met:
* The attacker needs authorization to send messages to the
target system.
* The target application needs to call getObject() on the
received JMS message.
* The target application needs to have additional exploitable
classes (e.g., Apache Commons Collections [2]) on the JVM
classpath.
I feel that the MITRE description does not adequately reflect
these points.
The description on the Qpid webpage [3,4] has been updated to
explicitly mention the first bullet point because we feel that
lack of clarity on this point may have lead to over estimation of
the severity. For example, Red Hat's CVVSv3 severity assessment
[5] resulted in a score of 5.6, whereas NVD's assessment [6]
resulted in a score of 9.8.
Please let me know if you require further information to consider
changing the description.
Kind regards,
Lorenz Quack
on behalf of the Apache Qpid Project Management Committee
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
[2] https://issues.apache.org/jira/browse/COLLECTIONS-580
[3] https://qpid.apache.org/components/jms/security.html
[4] https://qpid.apache.org/components/jms/security-0-x.html
[5] https://access.redhat.com/security/cve/CVE-2016-4974
[6] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
