Critical severity9.8NVD Advisory· Published Jan 8, 2016· Updated May 6, 2026
CVE-2015-5254
CVE-2015-5254
Description
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:activemq-clientMaven | >= 5.0.0, < 5.11.3 | 5.11.3 |
org.apache.activemq:activemq-clientMaven | >= 5.12.0, < 5.12.2 | 5.12.2 |
Patches
473a0caf758f9https://issues.apache.org/jira/browse/AMQ-6013 - init serializable packages statically
4 files changed · +12 −19
activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java+8 −12 modified@@ -34,10 +34,15 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); - private static String[] serializablePackages; + public static final String[] serializablePackages; private final ClassLoader inLoader; + static { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { super(in); inLoader = in.getClass().getClassLoader(); @@ -81,24 +86,15 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl } } - public static String[] getSerialziablePackages() { - if (serializablePackages == null) { - serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", - "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); - } - - return serializablePackages; - }; - public static boolean isAllAllowed() { - return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + return serializablePackages.length == 1 && serializablePackages[0].equals("*"); } private void checkSecurity(Class clazz) throws ClassNotFoundException { if (!clazz.isPrimitive()) { if (clazz.getPackage() != null && !isAllAllowed()) { boolean found = false; - for (String packageName : getSerialziablePackages()) { + for (String packageName : serializablePackages) { if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { found = true; break;
activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java+2 −4 modified@@ -19,14 +19,11 @@ import java.io.IOException; import java.io.Reader; -<<<<<<< HEAD -======= import com.thoughtworks.xstream.converters.Converter; import com.thoughtworks.xstream.converters.MarshallingContext; import com.thoughtworks.xstream.converters.UnmarshallingContext; import com.thoughtworks.xstream.io.HierarchicalStreamReader; import com.thoughtworks.xstream.io.HierarchicalStreamWriter; ->>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; import org.apache.activemq.transport.stomp.XStreamSupport; @@ -102,7 +99,8 @@ public int getCurrentWireFormatVersion() { } // Properties - // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java + // ------------------------------------------------- + public XStream getXStream() { if (xStream == null) { xStream = createXStream(); // make it work in OSGi env
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java+1 −1 modified@@ -37,7 +37,7 @@ public static XStream createXStream() { if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { - for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } }
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java+1 −2 modified@@ -108,8 +108,7 @@ public void tearDown() throws Exception { } public void startBroker() throws Exception { - System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); - createBroker(true); + createBroker(); XStreamBrokerContext context = new XStreamBrokerContext(); brokerService.setBrokerContext(context);
7eb9b218b270https://issues.apache.org/jira/browse/AMQ-6013 - init serializable packages statically
4 files changed · +12 −19
activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java+8 −12 modified@@ -34,10 +34,15 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); - private static String[] serializablePackages; + public static final String[] serializablePackages; private final ClassLoader inLoader; + static { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { super(in); inLoader = in.getClass().getClassLoader(); @@ -83,24 +88,15 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl } } - public static String[] getSerialziablePackages() { - if (serializablePackages == null) { - serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", - "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); - } - - return serializablePackages; - }; - public static boolean isAllAllowed() { - return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + return serializablePackages.length == 1 && serializablePackages[0].equals("*"); } private void checkSecurity(Class clazz) throws ClassNotFoundException { if (!clazz.isPrimitive()) { if (clazz.getPackage() != null && !isAllAllowed()) { boolean found = false; - for (String packageName : getSerialziablePackages()) { + for (String packageName : serializablePackages) { if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { found = true; break;
activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java+2 −4 modified@@ -19,14 +19,11 @@ import java.io.IOException; import java.io.Reader; -<<<<<<< HEAD -======= import com.thoughtworks.xstream.converters.Converter; import com.thoughtworks.xstream.converters.MarshallingContext; import com.thoughtworks.xstream.converters.UnmarshallingContext; import com.thoughtworks.xstream.io.HierarchicalStreamReader; import com.thoughtworks.xstream.io.HierarchicalStreamWriter; ->>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; import org.apache.activemq.transport.stomp.XStreamSupport; @@ -102,7 +99,8 @@ public int getCurrentWireFormatVersion() { } // Properties - // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java + // ------------------------------------------------- + public XStream getXStream() { if (xStream == null) { xStream = createXStream(); // make it work in OSGi env
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java+1 −1 modified@@ -37,7 +37,7 @@ public static XStream createXStream() { if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { stream.addPermission(AnyTypePermission.ANY); } else { - for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + for (String packageName : ClassLoadingAwareObjectInputStream.serializablePackages) { stream.allowTypesByWildcard(new String[]{packageName + ".**"}); } }
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java+1 −2 modified@@ -111,8 +111,7 @@ public void tearDown() throws Exception { } public void startBroker() throws Exception { - System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); - createBroker(true); + createBroker(); XStreamBrokerContext context = new XStreamBrokerContext(); brokerService.setBrokerContext(context);
e7a4b53f7996https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker
7 files changed · +114 −14
activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java+49 −5 modified@@ -21,6 +21,9 @@ import java.io.ObjectInputStream; import java.io.ObjectStreamClass; import java.lang.reflect.Proxy; +import java.util.Arrays; +import java.util.Collection; +import java.util.Map; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -31,6 +34,8 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); + private static String[] serializablePackages; + private final ClassLoader inLoader; public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { @@ -41,7 +46,9 @@ public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { @Override protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { ClassLoader cl = Thread.currentThread().getContextClassLoader(); - return load(classDesc.getName(), cl, inLoader); + Class clazz = load(classDesc.getName(), cl, inLoader); + checkSecurity(clazz); + return clazz; } @Override @@ -52,21 +59,58 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl cinterfaces[i] = load(interfaces[i], cl); } + Class clazz = null; try { - return Proxy.getProxyClass(cl, cinterfaces); + clazz = Proxy.getProxyClass(cl, cinterfaces); } catch (IllegalArgumentException e) { try { - return Proxy.getProxyClass(inLoader, cinterfaces); + clazz = Proxy.getProxyClass(inLoader, cinterfaces); } catch (IllegalArgumentException e1) { // ignore } try { - return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); + clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); } catch (IllegalArgumentException e2) { // ignore } + } + + if (clazz != null) { + checkSecurity(clazz); + return clazz; + } else { + throw new ClassNotFoundException(null); + } + } + + public static String[] getSerialziablePackages() { + if (serializablePackages == null) { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + + return serializablePackages; + }; - throw new ClassNotFoundException(null, e); + public static boolean isAllAllowed() { + return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + } + + private void checkSecurity(Class clazz) throws ClassNotFoundException { + if (!clazz.isPrimitive()) { + if (clazz.getPackage() != null && !isAllAllowed()) { + boolean found = false; + for (String packageName : getSerialziablePackages()) { + if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { + found = true; + break; + } + } + + if (!found) { + throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property."); + } + } } }
activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java+11 −3 modified@@ -19,8 +19,17 @@ import java.io.IOException; import java.io.Reader; +<<<<<<< HEAD +======= +import com.thoughtworks.xstream.converters.Converter; +import com.thoughtworks.xstream.converters.MarshallingContext; +import com.thoughtworks.xstream.converters.UnmarshallingContext; +import com.thoughtworks.xstream.io.HierarchicalStreamReader; +import com.thoughtworks.xstream.io.HierarchicalStreamWriter; +>>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; +import org.apache.activemq.transport.stomp.XStreamSupport; import org.apache.activemq.transport.util.TextWireFormat; import org.apache.activemq.wireformat.WireFormat; @@ -93,8 +102,7 @@ public int getCurrentWireFormatVersion() { } // Properties - // ------------------------------------------------------------------------- - public XStream getXStream() { + // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java if (xStream == null) { xStream = createXStream(); // make it work in OSGi env @@ -110,7 +118,7 @@ public void setXStream(XStream xStream) { // Implementation methods // ------------------------------------------------------------------------- protected XStream createXStream() { - XStream xstream = new XStream(); + final XStream xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); return xstream; }
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java+2 −2 modified@@ -91,7 +91,7 @@ public ActiveMQMessage convertFrame(ProtocolConverter converter, StompFrame comm msg = createMapMessage(in); break; default: - throw new Exception("Unkown transformation: " + transformation); + throw new Exception("Unknown transformation: " + transformation); } } catch (Throwable e) { command.getHeaders().put(Headers.TRANSFORMATION_ERROR, e.getMessage()); @@ -254,7 +254,7 @@ protected XStream createXStream() { } if (xstream == null) { - xstream = new XStream(); + xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); }
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java+47 −0 added@@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.transport.stomp; + +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.AnyTypePermission; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; +import org.apache.activemq.util.ClassLoadingAwareObjectInputStream; + +import java.util.Collection; +import java.util.Map; + +public class XStreamSupport { + + public static XStream createXStream() { + XStream stream = new XStream(); + stream.addPermission(NoTypePermission.NONE); + stream.addPermission(PrimitiveTypePermission.PRIMITIVES); + stream.allowTypeHierarchy(Collection.class); + stream.allowTypeHierarchy(Map.class); + stream.allowTypes(new Class[]{String.class}); + if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { + stream.addPermission(AnyTypePermission.ANY); + } else { + for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + stream.allowTypesByWildcard(new String[]{packageName + ".**"}); + } + } + return stream; + } + +}
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java+1 −1 modified@@ -111,7 +111,7 @@ public void tearDown() throws Exception { } public void startBroker() throws Exception { - + System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); createBroker(true); XStreamBrokerContext context = new XStreamBrokerContext();
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java+2 −1 modified@@ -23,14 +23,15 @@ import org.apache.activemq.transport.stomp.SamplePojo; import com.thoughtworks.xstream.XStream; +import org.apache.activemq.transport.stomp.XStreamSupport; public class XStreamBrokerContext implements BrokerContext { private final Map<String, XStream> beansMap = new HashMap<String, XStream>(); public XStreamBrokerContext() { - XStream stream = new XStream(); + XStream stream = XStreamSupport.createXStream(); stream.processAnnotations(SamplePojo.class); beansMap.put("xstream", stream);
activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java+2 −2 modified@@ -81,9 +81,9 @@ public Object getBody() throws JMSException { if (message instanceof ObjectMessage) { try { return ((ObjectMessage) message).getObject(); - } catch (JMSException e) { + } catch (Exception e) { //message could not be parsed, make the reason available - return e; + return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage()); } } if (message instanceof MapMessage) {
6f03921b31d9https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker
7 files changed · +115 −15
activemq-client/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java+49 −5 modified@@ -21,6 +21,9 @@ import java.io.ObjectInputStream; import java.io.ObjectStreamClass; import java.lang.reflect.Proxy; +import java.util.Arrays; +import java.util.Collection; +import java.util.Map; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -31,6 +34,8 @@ public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { private static final ClassLoader FALLBACK_CLASS_LOADER = ClassLoadingAwareObjectInputStream.class.getClassLoader(); + private static String[] serializablePackages; + private final ClassLoader inLoader; public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { @@ -40,7 +45,9 @@ public ClassLoadingAwareObjectInputStream(InputStream in) throws IOException { protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { ClassLoader cl = Thread.currentThread().getContextClassLoader(); - return load(classDesc.getName(), cl, inLoader); + Class clazz = load(classDesc.getName(), cl, inLoader); + checkSecurity(clazz); + return clazz; } protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { @@ -50,21 +57,58 @@ protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, Cl cinterfaces[i] = load(interfaces[i], cl); } + Class clazz = null; try { - return Proxy.getProxyClass(cl, cinterfaces); + clazz = Proxy.getProxyClass(cl, cinterfaces); } catch (IllegalArgumentException e) { try { - return Proxy.getProxyClass(inLoader, cinterfaces); + clazz = Proxy.getProxyClass(inLoader, cinterfaces); } catch (IllegalArgumentException e1) { // ignore } try { - return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); + clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); } catch (IllegalArgumentException e2) { // ignore } + } + + if (clazz != null) { + checkSecurity(clazz); + return clazz; + } else { + throw new ClassNotFoundException(null); + } + } + + public static String[] getSerialziablePackages() { + if (serializablePackages == null) { + serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", + "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); + } + + return serializablePackages; + }; - throw new ClassNotFoundException(null, e); + public static boolean isAllAllowed() { + return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); + } + + private void checkSecurity(Class clazz) throws ClassNotFoundException { + if (!clazz.isPrimitive()) { + if (clazz.getPackage() != null && !isAllAllowed()) { + boolean found = false; + for (String packageName : getSerialziablePackages()) { + if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { + found = true; + break; + } + } + + if (!found) { + throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property."); + } + } } }
activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java+11 −3 modified@@ -19,8 +19,17 @@ import java.io.IOException; import java.io.Reader; +<<<<<<< HEAD +======= +import com.thoughtworks.xstream.converters.Converter; +import com.thoughtworks.xstream.converters.MarshallingContext; +import com.thoughtworks.xstream.converters.UnmarshallingContext; +import com.thoughtworks.xstream.io.HierarchicalStreamReader; +import com.thoughtworks.xstream.io.HierarchicalStreamWriter; +>>>>>>> a7e2a44... https://issues.apache.org/jira/browse/AMQ-6013 - restrict classes which can be serialized inside the broker import org.apache.activemq.command.MarshallAware; import org.apache.activemq.command.MessageDispatch; +import org.apache.activemq.transport.stomp.XStreamSupport; import org.apache.activemq.transport.util.TextWireFormat; import org.apache.activemq.wireformat.WireFormat; @@ -93,8 +102,7 @@ public int getCurrentWireFormatVersion() { } // Properties - // ------------------------------------------------------------------------- - public XStream getXStream() { + // -------------------------------------------------activemq-http/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java if (xStream == null) { xStream = createXStream(); // make it work in OSGi env @@ -110,7 +118,7 @@ public void setXStream(XStream xStream) { // Implementation methods // ------------------------------------------------------------------------- protected XStream createXStream() { - XStream xstream = new XStream(); + final XStream xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); return xstream; }
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java+2 −2 modified@@ -91,7 +91,7 @@ public ActiveMQMessage convertFrame(ProtocolConverter converter, StompFrame comm msg = createMapMessage(in); break; default: - throw new Exception("Unkown transformation: " + transformation); + throw new Exception("Unknown transformation: " + transformation); } } catch (Throwable e) { command.getHeaders().put(Headers.TRANSFORMATION_ERROR, e.getMessage()); @@ -254,7 +254,7 @@ protected XStream createXStream() { } if (xstream == null) { - xstream = new XStream(); + xstream = XStreamSupport.createXStream(); xstream.ignoreUnknownElements(); }
activemq-stomp/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java+47 −0 added@@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.transport.stomp; + +import com.thoughtworks.xstream.XStream; +import com.thoughtworks.xstream.security.AnyTypePermission; +import com.thoughtworks.xstream.security.NoTypePermission; +import com.thoughtworks.xstream.security.PrimitiveTypePermission; +import org.apache.activemq.util.ClassLoadingAwareObjectInputStream; + +import java.util.Collection; +import java.util.Map; + +public class XStreamSupport { + + public static XStream createXStream() { + XStream stream = new XStream(); + stream.addPermission(NoTypePermission.NONE); + stream.addPermission(PrimitiveTypePermission.PRIMITIVES); + stream.allowTypeHierarchy(Collection.class); + stream.allowTypeHierarchy(Map.class); + stream.allowTypes(new Class[]{String.class}); + if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { + stream.addPermission(AnyTypePermission.ANY); + } else { + for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { + stream.allowTypesByWildcard(new String[]{packageName + ".**"}); + } + } + return stream; + } + +}
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/StompTestSupport.java+2 −2 modified@@ -108,8 +108,8 @@ public void tearDown() throws Exception { } public void startBroker() throws Exception { - - createBroker(); + System.setProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", "*"); + createBroker(true); XStreamBrokerContext context = new XStreamBrokerContext(); brokerService.setBrokerContext(context);
activemq-stomp/src/test/java/org/apache/activemq/transport/stomp/util/XStreamBrokerContext.java+2 −1 modified@@ -23,14 +23,15 @@ import org.apache.activemq.transport.stomp.SamplePojo; import com.thoughtworks.xstream.XStream; +import org.apache.activemq.transport.stomp.XStreamSupport; public class XStreamBrokerContext implements BrokerContext { private final Map<String, XStream> beansMap = new HashMap<String, XStream>(); public XStreamBrokerContext() { - XStream stream = new XStream(); + XStream stream = XStreamSupport.createXStream(); stream.processAnnotations(SamplePojo.class); beansMap.put("xstream", stream);
activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java+2 −2 modified@@ -81,9 +81,9 @@ public Object getBody() throws JMSException { if (message instanceof ObjectMessage) { try { return ((ObjectMessage) message).getObject(); - } catch (JMSException e) { + } catch (Exception e) { //message could not be parsed, make the reason available - return e; + return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage()); } } if (message instanceof MapMessage) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- github.com/advisories/GHSA-q9hr-3pg4-3jp4ghsaADVISORY
- issues.apache.org/jira/browse/AMQ-6013nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-5254ghsaADVISORY
- activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txtnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-December/174371.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-December/174537.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0489.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2035.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2036.htmlnvdWEB
- www.debian.org/security/2016/dsa-3524nvdWEB
- www.openwall.com/lists/oss-security/2015/12/08/6nvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdWEB
- github.com/apache/activemq/commit/6f03921b31d9fefeddb0f4fa63150ed1f94a14bghsaWEB
- github.com/apache/activemq/commit/73a0caf758f9e4916783a205c7e422b4db27905ghsaWEB
- github.com/apache/activemq/commit/7eb9b218b2705cf9273e30ee2da026e43b6dd4eghsaWEB
- github.com/apache/activemq/commit/e7a4b53f799685e337972dd36ba0253c04bcc01ghsaWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdWEB
- lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3Envd
News mentions
0No linked articles in our index yet.