{
  "threat_severity" : "Moderate",
  "public_date" : "2015-12-08T00:00:00Z",
  "bugzilla" : {
    "description" : "ObjectMessage: unsafe deserialization",
    "id" : "1291292",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1291292"
  },
  "cvss" : {
    "cvss_base_score" : "6.0",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:S/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.", "It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage." ],
  "statement" : "A malicious message producer needs to authenticate to EAP in order to send messages. Also, the use of JMS ObjectMessage needs to be chosen by the developer of the application. Therefore this issue is rated as moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2036",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2035",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "activemq-0:5.9.0-6.redhat.611454.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "jenkins-0:1.625.3-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-enterprise-upgrade-0:2.2.9-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-broker-util-0:1.37.5.3-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-cartridge-cron-0:1.25.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-cartridge-haproxy-0:1.31.5.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-cartridge-mysql-0:1.31.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-cartridge-php-0:1.35.3.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-cartridge-python-0:1.34.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-msg-node-mcollective-0:1.30.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-node-proxy-0:1.26.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "openshift-origin-node-util-0:1.38.6.2-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "php-0:5.3.3-46.el6_7.1"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rhc-0:1.38.6.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rubygem-openshift-origin-common-0:1.29.5.2-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rubygem-openshift-origin-console-0:1.35.5.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rubygem-openshift-origin-controller-0:1.38.5.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rubygem-openshift-origin-frontend-apache-vhost-0:0.13.2.1-1.el6op"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2.2",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0489",
    "cpe" : "cpe:/a:redhat:openshift:2.0::el6",
    "package" : "rubygem-openshift-origin-node-0:1.38.5.3-1.el6op"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Affected",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:jboss_amq:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Will not fix",
    "package_name" : "hornetq",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "artemis",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6.0",
    "fix_state" : "Affected",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-5254\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5254\nhttp://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt" ],
  "name" : "CVE-2015-5254",
  "mitigation" : {
    "value" : "If you do deploy a JMS publisher, and subscriber, and don't trust the messages sent to you by your clients, you could mitigate this issue by installing a Java agent which restricts the classes which can be deserialized. This is an article with the recommended approach:\nhttps://access.redhat.com/solutions/2190911\nYou could also mitigate this issue using the features of the Java Virtual Machine added in JEP 290:\nhttp://openjdk.java.net/jeps/290",
    "lang" : "en:us"
  },
  "csaw" : false
}