[
https://issues.apache.org/jira/browse/ARTEMIS-458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
clebert suconic closed ARTEMIS-458.
-----------------------------------
> JMSObjectMessage deserializes potentially malicious objects allowing Remote
> Code Execution
> ------------------------------------------------------------------------------------------
>
> Key: ARTEMIS-458
> URL: https://issues.apache.org/jira/browse/ARTEMIS-458
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Reporter: Jason Shepherd
>
> We should define a whitelist of classes that need to be deserialized as part
> of an object message and allowers users to add their own.
> Classes that probably need updating include:
> *
> /artemis-jms-client/src/main/java/org/apache/activemq/artemis/jms/client/ActiveMQObjectMessage.java
> *
> ./artemis-ra/src/main/java/org/apache/activemq/artemis/ra/ActiveMQRAObjectMessage.java
> *
> ./artemis-rest/src/main/java/org/apache/activemq/artemis/rest/queue/ConsumedObjectMessage.java
> Another option might be to enable the security manager for artemis to
> restrict the module actions. This will depend on
> https://issues.jboss.org/browse/MODULES-236 being backported to EAP so that
> we can use environment variables in file paths for portibility.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
