CVE-2016-4978

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Artemis versions prior to 1.4.0

Description The issue allows remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. This is due to a problem in the getObject method of the javax.jms.ObjectMessage class in the JMS Core client, Artemis broker, and Artemis REST component.

Recommendations For Apache ActiveMQ Artemis versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the getObject method of the javax.jms.ObjectMessage class to minimize the risk of exploitation.