Main Vulnerability Database SB2016052401

SB2016052401 - Remote code execution in Apache Qpid

Published: May 24, 2016

Security Bulletin ID SB2016052401

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Deserialization of untrusted data (CVE-ID: CVE-2016-4974)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to access control error in Apache Qpid. A remote unauthenticated attacker can cause arbitrary code execution by a deserialization flaw in applications that call the getObject() function on a JMS ObjectMessage and invoke restricted classes on the application classpath.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

http://qpid.apache.org/