[
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15046701#comment-15046701
]
Imran Ali commented on AMQ-6013:
--------------------------------
Based on [~mbechler] comment:
Can you please confirm if this fix is also based on
http://cwe.mitre.org/data/definitions/502.html
for following CVEs
CVE-2015-8103 and CVE-2015-4852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852
If so you are right as a note on Vulnerability Notes Database suggest following
{quote}
Developers need to re-architect their applications, and should be suspicious of
deserialized data from untrusted sources
{quote}
> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
> Key: AMQ-6013
> URL: https://issues.apache.org/jira/browse/AMQ-6013
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.12.0
> Reporter: Dejan Bosanac
> Assignee: Dejan Bosanac
> Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can
> be serialized in this way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
