Hi Marian- This appears to be a standard “if the server gets compromised, bad actors can do other bad things” security issue.
Deserialization (in many programming languages) can always lead to security problems if a bad actor is able to compromise the system by deploying malicious code. Keep in mind this requires a bad actor to install malicious code on the server, and restart the ActiveMQ process. If they can do all that, they already have compromised the system. Hope this helps. -Matt Pavlovich > On Aug 1, 2023, at 6:57 AM, Marian Stanciu <marian.stan...@tufin.com> wrote: > > Hi, > > We are using a docker container of ActiveMQ 5.17.0 and our vulnerability > scanner found the library spring-web-5.3.16.jar which is vulnerable to > cve-2016-1000027. > > Can you confirm/infirm if Active MQ is affected / whether it uses a Spring > remoting endpoint? > > More details about this vulnerability: > Pivotal Spring Framework through 5.3.16 suffers from a potential remote code > execution (RCE) issue if used for Java deserialization of untrusted data. > Depending on how the library is implemented within a product, this issue may > or not occur, and authentication may be required. NOTE: the vendor's position > is that untrusted data is not an intended use case. The product's behavior > will not be changed because some users rely on deserialization of trusted > data. > > https://nvd.nist.gov/vuln/detail/cve-2016-1000027 > > Thank you!
