CVE-2015-5254 - Unsafe deserialization in ActiveMQ Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache ActiveMQ 5.0.0 - 5.12.1 Description: JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As deserialization of untrusted data can leaed to security flaws as demonstrated in various reports, this leaves the broker vunerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vunerable as they deserlize objects on ObjectMessage.getObject() calls. Mitigation: Upgrade to Apache ActiveMQ 5.13.0. Additionally if you're using ObjectMessage message type, you need to explicitly list trusted packages. To see how to do that, please take a look at: http://activemq.apache.org/objectmessage.html Credit: This issue was discovered by: * Alvaro Muñoz - @pwntester * Matthias Kaiser - @matthias_kaiser * Christian Schneider - @cschneider4711 Special thanks to Matthias Kaiser for providing the detailed analysis of the vunerability.