ObjectMessage: unsafe deserialization

🗓️ 22 Mar 2016 16:49:04Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 2 Views

Unsafe deserialization in Java Message Service ObjectMessage allows remote code execution from user supplied data.

Reporter	Title	Published	Views	Family All 68
IBM Security Bulletins	Security Bulletin: IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP)	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in Jazz for Service Management shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2015-5254)	17 Jun 201815:48	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security Vulnerabilities in ActiveMQ Affect IBM Sterling B2B Integrator	5 Feb 202000:53	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Jazz for Service Management is vulnerable due to Log4j 1.2 SocketServer Remote Code Execution and Deserialization of Untrusted Data	24 Jun 202511:56	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Tivoli Netcool Impact affected by OpenSource Apache ActiveMQ Vulnerability (CVE-2015-5254)	17 Jun 201815:48	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Apache ActiveMQ affects IBM Control Center (CVE-2015-5254)	17 Dec 201922:47	–	ibm
IBM Security Bulletins	Security Bulletin: OpenSource Apache ActiveMQ Vulnerability identified with Jazz for Service Management (JazzSM) v1.1.3 (CVE-2015-5254)	17 Jun 201815:47	–	ibm
IBM Security Bulletins	Security Bulletin: OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities have been identified in IBM Tivoli Integrated Portal (TIP) shipped with Tivoli Business Service Manager (CVE-2015-5254, CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579)	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management	2 May 202412:46	–	ibm

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	6	x86_64	activemq	0:5.9.0-6.redhat.611454.el6op	activemq-0:5.9.0-6.redhat.611454.el6op.x86_64.rpm
Red Hat Enterprise Linux	6	x86_64	activemq-client	0:5.9.0-6.redhat.611454.el6op	activemq-client-0:5.9.0-6.redhat.611454.el6op.x86_64.rpm
Red Hat Enterprise Linux	6	any	jenkins	0:1.625.3-1.el6op	jenkins-0:1.625.3-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-enterprise-release	0:2.2.9-1.el6op	openshift-enterprise-release-0:2.2.9-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-enterprise-upgrade-broker	0:2.2.9-1.el6op	openshift-enterprise-upgrade-broker-0:2.2.9-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-enterprise-upgrade-node	0:2.2.9-1.el6op	openshift-enterprise-upgrade-node-0:2.2.9-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-enterprise-yum-validator	0:2.2.9-1.el6op	openshift-enterprise-yum-validator-0:2.2.9-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-origin-broker-util	0:1.37.5.3-1.el6op	openshift-origin-broker-util-0:1.37.5.3-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-origin-cartridge-cron	0:1.25.2.1-1.el6op	openshift-origin-cartridge-cron-0:1.25.2.1-1.el6op.noarch.rpm
Red Hat Enterprise Linux	6	any	openshift-origin-cartridge-haproxy	0:1.31.5.1-1.el6op	openshift-origin-cartridge-haproxy-0:1.31.5.1-1.el6op.noarch.rpm

Source	Link
activemq	www.activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt
access	www.access.redhat.com/security/cve/CVE-2015-5254
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2015-5254
cve	www.cve.org/CVERecord

18 Feb 2026 19:39Current

7.8High risk

Vulners AI Score7.8

CVSS 27.5

CVSS 39.8

EPSS0.37936

Unsafe deserialization Java Message Service ObjectMessage Remote code execution User supplied data