This is an automated email from the ASF dual-hosted git repository.
cshannon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push:
new 78688246e9 More security.md updates (#2163)
78688246e9 is described below
commit 78688246e9962abe03daf62bc1c93cc92e723b2a
Author: Christopher L. Shannon <[email protected]>
AuthorDate: Mon Jun 29 19:30:47 2026 -0400
More security.md updates (#2163)
---
SECURITY.md | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/SECURITY.md b/SECURITY.md
index 065593be8a..03b82241e8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -37,13 +37,13 @@ Apache ActiveMQ project recommends applying
defense-in-depth and security-first
Layers of security provide valuable options to prevent attacks, and to provide
a buffer for when vulnerabilities at any layer are reported to provide
reasonable time to test and apply fixes without impacting business-critical
messaging traffic.
-Users are advised to secure their environments
+Users are expected to secure their environments
-1. The web console is not designed to be exposed to the public Internet.
+1. The Web Console and Jolokia REST API are not designed to be exposed to the
public Internet. Only admins should be granted access.
2. Require user authentication and authorization for all connectivity
including JMX, Jolokia, REST API and the web console.
-3. Require SSL connections on all transport connectors.
+3. Require SSL connections on all transport connectors.
4. Disable transport connectors for protocols that are not used by application
clients.
@@ -57,7 +57,9 @@ Users are advised to secure their environments
9. Limit inbound and outbound network connectivity to and from an ActiveMQ
server.
-10. Normal users need permission to create advisory topics but should
generally **not** be given permission to read/write to those topics as those
messages are meant for admins. A notable exception is for temporary destination
advisory topics. For more information see the authorization section
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
+10. Do not run the broker using the root user, instead create a user account
to use for the broker. Users are expected to secure their OS and their file
system with proper permissions and controls. The broker does not try and limit
access to files, it relies on the operating system to do so.
+
+11. Normal users need permission to create advisory topics but should
generally **not** be given permission to read/write to those topics as those
messages are meant for admins. A notable exception is for temporary destination
advisory topics. For more information see the authorization section
[here](https://activemq.apache.org/components/classic/documentation/security#authorization).
## ActiveMQ Security Improvement Project
@@ -77,6 +79,12 @@ The Apache ActiveMQ team has initiated a security hardening
project to move from
7. [Done] VM Transport creation blocks the XBean factory by default
+8. [Done] Limit the maximum size of uncompressed message bodies with the
`maxInflatedDataSize` and `maxInflatedDataSizeRatio` settings.
+
+9. [Done] Validate all size values during unmarshalling before using those
sizes for allocating buffers
+
+10. [Done] The WebConsole and Jolokia have been restricted to only admins.
+
## Security vs Features
AI code scanning tools often mistaken designed features as a security issue.
It is the responsibility of the reporter to review AI output and verify if it's
a real issue. There has been a large number of invalid submissions that could
be avoided by simply reviewing the JMS spec and the features of the broker
itself.
@@ -95,4 +103,6 @@ Some of the most common reported examples:
1. Exploits that are only possible because users did not configure
authentication or authorization. It is expected users modify the default
configuration appropriately to enable security for their environment.
-2. Any attack that require administrative access to be granted. For example,
by default Jolokia now requires administrative access. By definition admins are
allowed to do anything, so if the issue requires the user to login with admin
credentials then the report will not be accepted and would be treated as a bug.
+2. Any attack that require administrative access to be granted. For example,
by default Jolokia and the web console now requires administrative access. By
definition admins are allowed to do anything, so if the issue requires the user
to login with admin credentials then the report will not be accepted and would
be treated as a bug.
+
+3. DoS attacks caused by OOM because users did not configure a maxFrameSize or
maxInflatedDataSize which are designed to limit the size of messages in memory.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact