FreeBSD : activemq -- Unsafe deserialization (a258604d-f2aa-11e5-b4a9-ac220bdcec59)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports :

JMS Object messages depends on Java Serialization for
marshaling/unmashaling of the message payload. There are a couple of
places inside the broker where deserialization can occur, like web
console or stomp object message transformation. As deserialization of
untrusted data can lead to security flaws as demonstrated in various
reports, this leaves the broker vulnerable to this attack vector.
Additionally, applications that consume ObjectMessage type of messages
can be vulnerable as they deserialize objects on
ObjectMessage.getObject() calls.

See also :

http://www.nessus.org/u?863a18c3
http://www.nessus.org/u?c9e2dfb5

Solution :

Update the affected package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 90235 ()

Bugtraq ID:

CVE ID: CVE-2015-5254

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now