CVE-2016-4974

Name of the Vulnerable Software and Affected Versions Apache Qpid AMQP 0-x JMS client versions prior to 6.0.4 Apache Qpid JMS (AMQP 1.0) versions prior to 0.10.0

Description The issue allows remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the getObject function. This is due to the lack of restriction on the use of classes available on the classpath.

Recommendations For Apache Qpid AMQP 0-x JMS client versions prior to 6.0.4, update to version 6.0.4 or later. For Apache Qpid JMS (AMQP 1.0) versions prior to 0.10.0, update to version 0.10.0 or later.