Bug#770780: Apache ActiveMQ Packaged with Old XStream Library

Sent: Monday, November 24, 2014 5:36 AM To: Georgi Geshev; 770...@bugs.debian.org Subject: Re: Bug#770780: Apache ActiveMQ Packaged with Old XStream Library On 11/23/2014 04:54 PM, Georgi Geshev wrote: Package: activemq Version: 5.6.0+dfsg-1 Apache ActiveMQ as packaged for Debian seems to ship

Bug#770780: Apache ActiveMQ Packaged with Old XStream Library

Package: activemq Version: 5.6.0+dfsg-1 Apache ActiveMQ as packaged for Debian seems to ship with an old XStream (1.4.2) library[1][2] which allows for instantiating arbitrary classes. This could be leveraged for system command execution as demonstrated against versions before 1.4.7. # dpkg

Bug#769887: Apache ActiveMQ Packaged with JMX/RMI Enabled

Package: activemq Version: 5.6.0+dfsg-1 It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service listening on all network interfaces and allowing for unauthenticated access. Achieving system command execution is as simple as querying JMX for the RMI registry endpoint