CVE-2016-4974 : Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes avail

Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before 0.10.0 does not restrict the use of classes available on the classpath, which might allow remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function.

Published 2016-07-13 15:59:05

Updated 2018-10-09 20:00:28

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationExecute code

Exploit prediction scoring system (EPSS) score for CVE-2016-4974

Probability of exploitation activity in the next 30 days: 1.07%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-4974

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-4974

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-4974

http://www.securityfocus.com/archive/1/538813/100/0/threaded

SecurityFocus
http://packetstormsecurity.com/files/137749/Apache-Qpid-Untrusted-Input-Deserialization.html

Apache Qpid Untrusted Input Deserialization ≈ Packet Storm
Third Party Advisory;VDB Entry
http://qpid.apache.org/components/jms/security.html

Security - Apache Qpid™
Vendor Advisory
http://www.securitytracker.com/id/1036239

Apache Qpid JMS ObjectMessage Deserialization Bug Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker
Third Party Advisory;VDB Entry
https://issues.apache.org/jira/browse/QPIDJMS-188

[QPIDJMS-188] [CVE-2016-4974] allow whitelisting trusted classes/packages for deserialization from ObjectMessage - ASF JIRA
Issue Tracking
http://qpid.apache.org/components/jms/security-0-x.html

Security - Apache Qpid™
Vendor Advisory
http://www.securityfocus.com/bid/91537

Apache QPID CVE-2016-4974 Deserialization Security Bypass Vulnerability
VDB Entry;Third Party Advisory

Products affected by CVE-2016-4974

Apache » Jms Client Amqp
Versions up to, including, (<=) 0.9.0
cpe:2.3:a:apache:jms_client_amqp:*:*:*:*:*:*:*:*
Matching versions
Apache » Amqp 0-x Jms Client
Versions up to, including, (<=) 6.0.3
cpe:2.3:a:apache:amqp_0-x_jms_client:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-4974

Exploit prediction scoring system (EPSS) score for CVE-2016-4974

CVSS scores for CVE-2016-4974

CWE ids for CVE-2016-4974

References for CVE-2016-4974

Products affected by CVE-2016-4974