Sent: Monday, November 24, 2014 5:36 AM
To: Georgi Geshev; 770...@bugs.debian.org
Subject: Re: Bug#770780: Apache ActiveMQ Packaged with Old XStream Library
On 11/23/2014 04:54 PM, Georgi Geshev wrote:
Package: activemq
Version: 5.6.0+dfsg-1
Apache ActiveMQ as packaged for Debian seems to ship
Package: activemq
Version: 5.6.0+dfsg-1
Apache ActiveMQ as packaged for Debian seems to ship with an old XStream
(1.4.2) library[1][2] which allows for instantiating arbitrary classes. This
could be leveraged for system command execution as demonstrated against
versions before 1.4.7.
# dpkg
Package: activemq
Version: 5.6.0+dfsg-1
It looks like Apache ActiveMQ as packaged for Debian comes with JMX/RMI service
listening on all network interfaces and allowing for unauthenticated access.
Achieving system command execution is as simple as querying JMX for the RMI
registry endpoint
3 matches
Mail list logo