Apache · Apache Qpid Amqp 0-X Jms Client · CVE-2016-4974
**Name of the Vulnerable Software and Affected Versions**
Apache Qpid AMQP 0-x JMS client versions prior to 6.0.4
Apache Qpid JMS (AMQP 1.0) versions prior to 0.10.0
**Description**
The issue allows remote authenticated users with permission to send messages to deserialize arbitrary objects and execute arbitrary code by leveraging a crafted serialized object in a JMS ObjectMessage that is handled by the `getObject` function. This is due to the lack of restriction on the use of classes available on the classpath.
**Recommendations**
For Apache Qpid AMQP 0-x JMS client versions prior to 6.0.4, update to version 6.0.4 or later.
For Apache Qpid JMS (AMQP 1.0) versions prior to 0.10.0, update to version 0.10.0 or later.