Overview

CVE-2015-5254 - Unsafe Deserialization in ActiveMQ Vulnerability

  • Posted February 9, 2016

  • Assessed Risk Level: Medium

On December 8, 2015 the ActiveMQ project announced CVE-2015-5254 addressing unsafe deserialization.

The default configuration of Puppet Enterprise is not vulnerable to the vulnerabilities in the December 2015 ActiveMQ Security Announcement. If you have enabled the ActiveMQ web console you may be vulnerable.

Puppet Enterprise 3.8.4 and 2015.3.2 include an updated version of ActiveMQ to address this vulnerability.

For more information about the vulnerability, please refer to the ActiveMQ security announcement.

Status:

Affected Software Versions:

  • Puppet Enterprise 3.x prior to 3.8.4
  • Puppet Enterprise 2015.3.x prior to 2015.3.2

Resolved in:

  • Puppet Enterprise 3.8.4
  • Puppet Enterprise 2015.3.2