Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6
CVSSv2

CVE-2016-4978

Published: 27/09/2016 Updated: 12/02/2023
CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 534
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis prior to 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache activemq artemis

redhat jboss_enterprise_application_platform 6.0.0

redhat jboss_enterprise_application_platform 6.4.0

redhat jboss_enterprise_application_platform 7.0.0

redhat jboss_enterprise_application_platform 7.1.0

Vendor Advisories

Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.7 on RHEL 7
Synopsis Important: Red Hat JBoss Enterprise Application Platform 707 on RHEL 7 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a securi ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 710 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 710 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Red Hat: Important: eap7-jboss-ec2-eap security update
Synopsis Important: eap7-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 70 for RHEL 6 and Red Hat JBoss Enterprise Application Platform 70 for RHEL 7Red Hat Product Security ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.7 on RHEL 6
Synopsis Important: Red Hat JBoss Enterprise Application Platform 707 on RHEL 6 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 70 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a securi ...
Red Hat: Important: eap7-jboss-ec2-eap security update
Synopsis Important: eap7-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 71 for Red Hat Ent ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Red Hat: Important: eap6-jboss-ec2-eap security update
Synopsis Important: eap6-jboss-ec2-eap security update Type/Severity Security Advisory: Important Topic An update for jboss-ec2-eap is now available for Red Hat JBoss EnterpriseApplication Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform6420, fixes several bugs, and adds various enhancements are now available from the Red Hat Cu ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.0.7
Synopsis Important: Red Hat JBoss Enterprise Application Platform 707 Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabilit ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6420 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 710 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application PlatformRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: CVE-2016-4978
It was found that use of a JMS ObjectMessage does not safely handle user supplied data when deserializing objects A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage ...

References

CWE-502http://mail-archives.apache.org/mod_mbox/activemq-users/201609.mbox/%3CCAH6wpnqzeNtpykT7emtDU1-GV7AvjFP5-YroWcCC4UZyQEFvtA%40mail.gmail.com%3Ehttps://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdfhttp://www.securityfocus.com/bid/93142https://access.redhat.com/errata/RHSA-2017:3458https://access.redhat.com/errata/RHSA-2017:3456https://access.redhat.com/errata/RHSA-2017:3455https://access.redhat.com/errata/RHSA-2017:3454https://access.redhat.com/errata/RHSA-2017:1837https://access.redhat.com/errata/RHSA-2017:1836https://access.redhat.com/errata/RHSA-2017:1835https://access.redhat.com/errata/RHSA-2017:1834https://access.redhat.com/errata/RHSA-2018:1451https://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/errata/RHSA-2018:1449https://access.redhat.com/errata/RHSA-2018:1448https://access.redhat.com/errata/RHSA-2018:1447https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/7260bd0955c12aac5bd892039d3356ba3aa0ff4caaf2aa4fd4fe84a2%40%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afccabbcd9847a82088%40%3Ccommits.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/d4ffbc6a43a915324a394b2913ceb7d07bc352f2d08caa19df0aff02%40%3Cissues.activemq.apache.org%3Ehttps://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2018:1450https://access.redhat.com/security/cve/cve-2016-4978
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook