This is an automated email from the ASF dual-hosted git repository.

cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git


The following commit(s) were added to refs/heads/main by this push:
     new 78688246e9 More security.md updates (#2163)
78688246e9 is described below

commit 78688246e9962abe03daf62bc1c93cc92e723b2a
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Jun 29 19:30:47 2026 -0400

    More security.md updates (#2163)
---
 SECURITY.md | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 065593be8a..03b82241e8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,13 +37,13 @@ Apache ActiveMQ project recommends applying 
defense-in-depth and security-first
 
 Layers of security provide valuable options to prevent attacks, and to provide 
a buffer for when vulnerabilities at any layer are reported to provide 
reasonable time to test and apply fixes without impacting business-critical 
messaging traffic.
 
-Users are advised to secure their environments
+Users are expected to secure their environments
 
-1. The web console is not designed to be exposed to the public Internet.
+1. The Web Console and Jolokia REST API are not designed to be exposed to the 
public Internet. Only admins should be granted access.
 
 2. Require user authentication and authorization for all connectivity 
including JMX, Jolokia, REST API and the web console.
 
-3. Require SSL connections on all transport connectors. 
+3. Require SSL connections on all transport connectors.
 
 4. Disable transport connectors for protocols that are not used by application 
clients.
 
@@ -57,7 +57,9 @@ Users are advised to secure their environments
 
 9. Limit inbound and outbound network connectivity to and from an ActiveMQ 
server.
 
-10. Normal users need permission to create advisory topics but should 
generally **not** be given permission to read/write to those topics as those 
messages are meant for admins. A notable exception is for temporary destination 
advisory topics. For more information see the authorization section 
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
 
+10. Do not run the broker using the root user, instead create a user account 
to use for the broker. Users are expected to secure their OS and their file 
system with proper permissions and controls. The broker does not try and limit 
access to files, it relies on the operating system to do so.
+
+11. Normal users need permission to create advisory topics but should 
generally **not** be given permission to read/write to those topics as those 
messages are meant for admins. A notable exception is for temporary destination 
advisory topics. For more information see the authorization section 
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
 
 ## ActiveMQ Security Improvement Project
 
@@ -77,6 +79,12 @@ The Apache ActiveMQ team has initiated a security hardening 
project to move from
 
 7. [Done] VM Transport creation blocks the XBean factory by default
 
+8. [Done] Limit the maximum size of uncompressed message bodies with the 
`maxInflatedDataSize` and `maxInflatedDataSizeRatio` settings.
+
+9. [Done] Validate all size values during unmarshalling before using those 
sizes for allocating buffers
+
+10. [Done] The WebConsole and Jolokia have been restricted to only admins.
+
 ## Security vs Features
 
 AI code scanning tools often mistaken designed features as a security issue. 
It is the responsibility of the reporter to review AI output and verify if it's 
a real issue. There has been a large number of invalid submissions that could 
be avoided by simply reviewing the JMS spec and the features of the broker 
itself.
@@ -95,4 +103,6 @@ Some of the most common reported examples:
 
 1. Exploits that are only possible because users did not configure 
authentication or authorization. It is expected users modify the default 
configuration appropriately to enable security for their environment. 
 
-2. Any attack that require administrative access to be granted. For example, 
by default Jolokia now requires administrative access. By definition admins are 
allowed to do anything, so if the issue requires the user to login with admin 
credentials then the report will not be accepted and would be treated as a bug.
+2. Any attack that require administrative access to be granted. For example, 
by default Jolokia and the web console now requires administrative access. By 
definition admins are allowed to do anything, so if the issue requires the user 
to login with admin credentials then the report will not be accepted and would 
be treated as a bug.
+
+3. DoS attacks caused by OOM because users did not configure a maxFrameSize or 
maxInflatedDataSize which are designed to limit the size of messages in memory.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact


Reply via email to