FYI:
I received an email from MITRE containing this information:
We have updated the description to replace "remote attackers"
with "remote authenticated users with permission to send
messages" to address the first bullet point. The revised
description should become available in the CVE List in the
next business day.
Please note that you may need to contact NIST directly to
have them re-evaluate the CVSS score in the NVD.
If we are happy with that change I would contact NIST to ask them
to re-evaluate the CVSS score once the changed description is
online.
Kind regards,
Lorenz
On 04/08/16 09:13, Lorenz Quack wrote:
Dear Madam or Sir,
I would like to request an update to the vulnerability
description of CVE-2016-4974 [1]. The current description reads:
Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP
1.0) before 0.10.0 does not restrict the use of classes
available on the classpath, which might allow remote
attackers to deserialize arbitrary objects and execute
arbitrary code by leveraging a crafted serialized object in a
JMS ObjectMessage that is handled by the getObject function.
However, for this vulnerability to be exploited all of the
following conditions need to be met:
* The attacker needs authorization to send messages to the
target system.
* The target application needs to call getObject() on the
received JMS message.
* The target application needs to have additional exploitable
classes (e.g., Apache Commons Collections [2]) on the JVM
classpath.
I feel that the MITRE description does not adequately reflect
these points.
The description on the Qpid webpage [3,4] has been updated to
explicitly mention the first bullet point because we feel that
lack of clarity on this point may have lead to over estimation of
the severity. For example, Red Hat's CVVSv3 severity assessment
[5] resulted in a score of 5.6, whereas NVD's assessment [6]
resulted in a score of 9.8.
Please let me know if you require further information to consider
changing the description.
Kind regards,
Lorenz Quack
on behalf of the Apache Qpid Project Management Committee
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4974
[2] https://issues.apache.org/jira/browse/COLLECTIONS-580
[3] https://qpid.apache.org/components/jms/security.html
[4] https://qpid.apache.org/components/jms/security-0-x.html
[5] https://access.redhat.com/security/cve/CVE-2016-4974
[6] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4974
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
