FreeBSD : activemq -- Unsafe deserialization (a258604d-f2aa-11e5-b4a9-ac220bdcec59)

High Nessus Plugin ID 90235


The remote FreeBSD host is missing a security-related update.


Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports :

JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can lead to security flaws as demonstrated in various reports, this leaves the broker vulnerable to this attack vector.
Additionally, applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 90235

File Name: freebsd_pkg_a258604df2aa11e5b4a9ac220bdcec59.nasl

Version: $Revision: 2.5 $

Type: local

Published: 2016/03/28

Modified: 2017/07/05

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:activemq, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/03/25

Vulnerability Publication Date: 2016/01/08

Exploitable With

Core Impact

Reference Information

CVE: CVE-2015-5254