Think you have a false positive on this rule?

Sid 1-46304

Message

SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt

Summary

This event is generated when an Apache ActiveMQ JMS ObjectMessage containing a serialized object is detected.

Impact

Misc activity

CVE-2015-5254:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Affected systems

  • apache activemq 5.0.0
  • apache activemq 5.1.0
  • apache activemq 5.2.0
  • apache activemq 5.3.0
  • apache activemq 5.3.1
  • apache activemq 5.3.2
  • apache activemq 5.4.0
  • apache activemq 5.4.1
  • apache activemq 5.4.3
  • apache activemq 5.5.0
  • apache activemq 5.5.1
  • apache activemq 5.6.0
  • apache activemq 5.7.0
  • apache activemq 5.8.0
  • apache activemq 5.9.0
  • apache activemq 5.9.1
  • apache activemq 5.10.0
  • apache activemq 5.10.1
  • apache activemq 5.10.2
  • apache activemq 5.11.0
  • apache activemq 5.11.1
  • apache activemq 5.11.2
  • apache activemq 5.12.0
  • apache activemq 5.12.1
  • redhat openshift 2.0
  • fedoraproject fedora 22
  • fedoraproject fedora 23

Ease of attack

CVE-2015-5254:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References