Apache ActiveMQ NMS OpenWire Client Deserialization Vulnerability Allowlist Bypass

A deserialization vulnerability allowing untrusted data to be processed has been identified in Apache ActiveMQ NMS OpenWire Client versions prior to 2.1.1. When connected to untrusted servers, these servers could exploit the lack of deserialization limits to send malicious responses, potentially leading to arbitrary code execution on the client. Although version 2.1.0 introduced a allow/denylist feature to control deserialization, this could be bypassed. The .NET team has deprecated the built-in binary serialization feature starting with .NET 9, recommending a migration away from binary serialization. The ActiveMQ project is considering a similar move, potentially dropping this aspect of the NMS API altogether.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the client.

Remediation

Users are advised to upgrade to Apache ActiveMQ NMS OpenWire Client version 2.1.1 or later, which addresses this vulnerability. Additionally, it is recommended to migrate away from using .NET binary serialization as a hardening measure.