Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN245

_____________________________________________________________________

DATE                : 22/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ActiveMQ NMS OpenWire
                          Client versions prior to 2.1.1.

=====================================================================
https://lists.apache.org/thread/d2d1r7118z5fs92rorw4gtg1l3jzhsg3
_____________________________________________________________________

CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization
allowlist bypass

Severity: moderate

Affected versions:

- Apache ActiveMQ NMS OpenWire Client before 2.1.1

Description:

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ
NMS OpenWire Client.

This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1
when performing connections to untrusted servers. Such servers could
abuse the unbounded deserialization in the client to provide 
alicious responses that may eventually cause arbitrary code
execution on the client. Version 2.1.0 introduced a allow/denylist
feature to restrict deserialization, but this feature could be
bypassed.

The .NET team has deprecated the built-in .NET binary serialization
feature starting with .NET 9 and suggests migrating away from
binary serialization. The project is considering to follow suit
and drop this part of the NMS API altogether.

Users are recommended to upgrade to version 2.1.1, which fixes the
issue. We also recommend to migrate away from relying on .NET
binary serialization as a hardening method for the future.

This issue is being tracked as AMQNET-844 


Credit:

g7shot working with Trend Zero Day Initiative (finder)


References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-29953
https://issues.apache.org/jira/browse/AMQNET-844


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================