Rule Definition
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. JMS Object messages depends on Java Serialization for marshaling/unmarshaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message transformation. As the ​deserialization of untrusted data can lead to security flaws as demonstrated in various reports, this leaves the broker vulnerable to this attack vector. Additionally, applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Remediation
Upgrade to Apache ActiveMQ 5.13.1. Additionally if you're using ObjectMessage message type, you need to explicitly list trusted packages

Violation Code Sample

The setTrustAllPackages() allows you to turn off the security check and trust all classes as following example:

Sample 1
ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
factory.setTrustAllPackages(true);


Sample 2
public void init(ActiveMQConfig activeMQConfig, Environment environment) {
  ((ActiveMQConnectionFactory) this.jmsConnectionFactory).setTrustAllPackages(true);
}



-------------------------------------------------------------------------------------------

The whitelist mechanism can also be disabled in Spring XML as follows:

<bean id="connectionFactory" class="org.apache.activemq.spring.ActiveMQConnectionFactory">
    <property name="brokerURL" value="tcp://localhost:61616"/>
    <property name="trustAllPackages" value="true"/>
</bean>
<bean id="jmsConfig" class="org.apache.camel.component.jms.JmsConfiguration">
    <property name="connectionFactory" ref="connectionFactory"/>
</bean>
<bean id="activemq" class="org.apache.activemq.camel.component.ActiveMQComponent">
    <property name="configuration" ref="jmsConfig"/>
</bean>

Fixed Code Sample

Upgrade to Apache ActiveMQ 5.13.1. Additionally if you're using ObjectMessage message type, you need to explicitly list trusted packages as follow :

1- Adding following Bean 
@Bean
public ActiveMQConnectionFactory activeMQConnectionFactory() {
    ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("your broker URL");
    factory.setTrustedPackages(Arrays.asList("com.my.package"));
    return factory;
}

 
2- The list of trusted packages can also be set in XML. For example, a Camel endpoint in a Spring XML file can be configured as follows:

<bean id="connectionFactory" class="org.apache.activemq.spring.ActiveMQConnectionFactory">
    <property name="brokerURL" value="tcp://localhost:61616"/>
    <property name="trustedPackages"> // setiing for trusted packages
        <list>
            <value>org.apache.activemq.test</value>
            <value>org.apache.camel.test</value>
        </list>
    </property>
</bean>
<bean id="jmsConfig" class="org.apache.camel.component.jms.JmsConfiguration">
    <property name="connectionFactory" ref="connectionFactory"/>
</bean>
<bean id="activemq" class="org.apache.activemq.camel.component.ActiveMQComponent">
    <property name="configuration" ref="jmsConfig"/>
</bean>

https://access.redhat.com/documentation/en-us/red_hat_jboss_a-mq/6.3/html/security_guide/securebroker-objectmessage https://nvd.nist.gov/vuln/detail/CVE-2015-5254 https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf