CVE-2015-5254

Published: Jan 8, 2016Modified: May 6, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Affected (27)

Products: Redhat: Openshift · Apache: Activemq · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift	Version 2.0

Configuration B

24 vulnerable

Vulnerable Software	Affected Versions
Apache Activemq	Version 5.0.0
Apache Activemq	Version 5.1.0
Apache Activemq	Version 5.10.0
Apache Activemq	Version 5.10.1
Apache Activemq	Version 5.10.2
Apache Activemq	Version 5.11.0
Apache Activemq	Version 5.11.1
Apache Activemq	Version 5.11.2
Apache Activemq	Version 5.12.0
Apache Activemq	Version 5.12.1
Apache Activemq	Version 5.2.0
Apache Activemq	Version 5.3.0
Apache Activemq	Version 5.3.1
Apache Activemq	Version 5.3.2
Apache Activemq	Version 5.4.0
Apache Activemq	Version 5.4.1
Apache Activemq	Version 5.4.3
Apache Activemq	Version 5.5.0
Apache Activemq	Version 5.5.1
Apache Activemq	Version 5.6.0
Apache Activemq	Version 5.7.0
Apache Activemq	Version 5.8.0
Apache Activemq	Version 5.9.0
Apache Activemq	Version 5.9.1

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 22
Fedoraproject Fedora	Version 23

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (26)

http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-0489.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2035.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2036.html

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3524

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2015/12/08/6

Source: secalert@redhat.com

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680

Source: secalert@redhat.com

https://issues.apache.org/jira/browse/AMQ-6013

Source: secalert@redhat.com

Vendor Advisory

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

Source: secalert@redhat.com

http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-0489.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-2035.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-2036.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2016/dsa-3524

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2015/12/08/6

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05385680

Source: af854a3a-2127-422b-91ae-364da2661108

https://issues.apache.org/jira/browse/AMQ-6013

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.