CVE-2018-1310
Description
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deserialization flaw in the ActiveMQ client library used by Apache NiFi before 1.6.0 allows denial of service via crafted JMS messages.
Vulnerability
Apache NiFi before version 1.6.0 bundles an ActiveMQ client library that is vulnerable to a deserialization issue (CVE-2015-5254). An attacker who can inject malicious JMS content into a NiFi flow that processes JMS messages can trigger unsafe deserialization, leading to a denial of service [1][2]. The vulnerable library was upgraded to activemq-client 5.15.3 in NiFi 1.6.0, fixing the issue [2].
Exploitation
An attacker must have the ability to send crafted JMS messages to a NiFi instance that consumes JMS data, for example by placing a malicious message on a JMS broker that NiFi listens to. No authentication requirement is stated; network access to the JMS broker may be sufficient. The attacker supplies a serialized Java object that, when deserialized by the ActiveMQ client, causes the NiFi process to hang or crash [1][2].
Impact
Successful exploitation results in a denial of service (DoS) — the NiFi instance may become unresponsive or terminate, disrupting data processing. The CIA impact is limited to availability; there is no evidence of remote code execution or data disclosure from this specific issue [1][2].
Mitigation
Upgrade Apache NiFi to version 1.6.0 or later, which includes the activemq-client library version 5.15.3 that resolves CVE-2015-5254 [1][2]. Users of prior 1.x releases should upgrade immediately. No workaround is documented; there is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | < 1.6.0 | 1.6.0 |
Affected products
2- Apache Software Foundation/Apache NiFiv5Range: 0.1.0 - 1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-p76j-5v6v-6c22ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1310ghsaADVISORY
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.