Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
Georgi Geshev
georgi.geshev at mwrinfosecurity.com
Mon Nov 24 00:54:19 UTC 2014
Package: activemq
Version: 5.6.0+dfsg-1
Apache ActiveMQ as packaged for Debian seems to ship with an old XStream (1.4.2) library[1][2] which allows for instantiating arbitrary classes. This could be leveraged for system command execution as demonstrated against versions before 1.4.7.
# dpkg -S /usr/share/activemq/lib/optional/xstream.jar
activemq: /usr/share/activemq/lib/optional/xstream.jar
#
# dpkg -s activemq
Package: activemq
Status: install ok installed
Priority: optional
Section: java
Installed-Size: 217
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Architecture: all
Version: 5.6.0+dfsg-1
Depends: adduser (>= 3.11), libactivemq-java (= 5.6.0+dfsg-1), openjdk-6-jre-headless | java6-runtime-headless
Conffiles:
/etc/default/activemq 3353e02e20e45a2224c1559f7e52e0a7
/etc/activemq/instances-available/main/log4j.properties 7a52b5daa7fba629b28bc9c05ccc3dc0
/etc/activemq/instances-available/main/activemq.xml 0d815a59ffa96e5978540ceee4623b56
/etc/init.d/activemq 8eb32df2af38fce26258548ae04c538b
Description: Java message broker - server
Apache ActiveMQ is a message broker built around Java Message Service (JMS)
API : allow sending messages between two or more clients in a loosely coupled,
reliable, and asynchronous way.
.
This message broker supports :
* JMS 1.1 and J2EE 1.4 with support for transient, persistent, transactional
and XA messaging
* Spring Framework, CXF and Axis integration
* pluggable transport protocols such as in-VM, TCP, SSL, NIO, UDP, multicast,
JGroups and JXTA
* persistence using JDBC along with journaling
* OpenWire (cross language wire protocol) and
Stomp (Streaming Text Orientated Messaging Protocol) protocols
.
This package contains a server installation of ActiveMQ.
Homepage: http://activemq.apache.org
#
# unzip -p /usr/share/activemq/lib/optional/xstream.jar META-INF/maven/com.thoughtworks.xstream/xstream/pom.properties
#POM properties
#Mon May 28 22:20:08 UTC 2012
version=1.4.2
groupId=com.thoughtworks.xstream
debianVersion=debian
type=jar
classifier=
artifactId=xstream
#
[1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
[2] http://xstream.codehaus.org/security.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20141124/cb8bd6be/attachment.html>
More information about the pkg-java-maintainers
mailing list