v-p-b (9)

Based on vendor assessment the vulnerability (deserialization of untrusted data) is present in Active MQ Artemis too, but the Spring class used in the public exploit is not available in this flavor of the software (only works against ActiveMQ Classic). Exploitability of Artemis needs further research.

Based on the published details the vulnerable program object executes with *OWNER privileges (similarly to how SUID executables work), but use the Library List (similar to the PATH environment variable) of the executing user, who can thus replace program dependencies to make their code execute in the context of a different user profile. This other user profile (QAUTPROF) has authority to impersonate QFAXMSF (also installed as part of the vulnerable software package), that has *ALLOBJ (“All Object” – similar to uid=0) special authority on the system. This is a local privilege escalation from any user profile (with command line access) to complete control over the system.

Based on the published vulnerability details authentication bypass is possible likely because the DDM service fails to terminate the session as an authentication error is detected, but proceeds to parse subsequent commands incoming from the connection. The commands sent by the attacking client can include instructions for command execution, making this an unauthenticated RCE.