Package: activemq Version: 5.6.0+dfsg-1 Apache ActiveMQ as packaged for Debian seems to ship with an old XStream (1.4.2) library[1][2] which allows for instantiating arbitrary classes. This could be leveraged for system command execution as demonstrated against versions before 1.4.7.
# dpkg -S /usr/share/activemq/lib/optional/xstream.jar activemq: /usr/share/activemq/lib/optional/xstream.jar # # dpkg -s activemq Package: activemq Status: install ok installed Priority: optional Section: java Installed-Size: 217 Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Architecture: all Version: 5.6.0+dfsg-1 Depends: adduser (>= 3.11), libactivemq-java (= 5.6.0+dfsg-1), openjdk-6-jre-headless | java6-runtime-headless Conffiles: /etc/default/activemq 3353e02e20e45a2224c1559f7e52e0a7 /etc/activemq/instances-available/main/log4j.properties 7a52b5daa7fba629b28bc9c05ccc3dc0 /etc/activemq/instances-available/main/activemq.xml 0d815a59ffa96e5978540ceee4623b56 /etc/init.d/activemq 8eb32df2af38fce26258548ae04c538b Description: Java message broker - server Apache ActiveMQ is a message broker built around Java Message Service (JMS) API : allow sending messages between two or more clients in a loosely coupled, reliable, and asynchronous way. . This message broker supports : * JMS 1.1 and J2EE 1.4 with support for transient, persistent, transactional and XA messaging * Spring Framework, CXF and Axis integration * pluggable transport protocols such as in-VM, TCP, SSL, NIO, UDP, multicast, JGroups and JXTA * persistence using JDBC along with journaling * OpenWire (cross language wire protocol) and Stomp (Streaming Text Orientated Messaging Protocol) protocols . This package contains a server installation of ActiveMQ. Homepage: http://activemq.apache.org # # unzip -p /usr/share/activemq/lib/optional/xstream.jar META-INF/maven/com.thoughtworks.xstream/xstream/pom.properties #POM properties #Mon May 28 22:20:08 UTC 2012 version=1.4.2 groupId=com.thoughtworks.xstream debianVersion=debian type=jar classifier= artifactId=xstream # [1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html [2] http://xstream.codehaus.org/security.html
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.