You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Robbie Gemmell (JIRA)" <ji...@apache.org> on 2016/07/02 01:19:11 UTC

[jira] [Updated] (QPID-7323) [CVE-2016-4974] [Java Client] add whitelisting of trusted content for deserialization from ObjectMessage

     [ https://issues.apache.org/jira/browse/QPID-7323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robbie Gemmell updated QPID-7323:
---------------------------------
    Description: 
When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return.

This improvement adds the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented.

  was:Make improvements to the ObjectMessage implementation

        Summary: [CVE-2016-4974] [Java Client] add whitelisting of trusted content for deserialization from ObjectMessage  (was: [Java Client] Improvements to the ObjectMessage implementation)

Two new URI options were added:

*objectMessageClassHierarchyWhiteList* A comma separated list of class/package names that should be allowed when deserializing the contents of a JMS ObjectMessage, unless overridden by the blackList. The names in this list are not pattern values, the exact class or package name must be configured, e.g "java.util.Map" or "java.util". Package matches include sub-packages. Default is to allow all.

*objectMessageClassHierarchyBlackList* A comma separated list of class/package names that should be rejected when deserializing the contents of a JMS ObjectMessage. The names in this list are not pattern values, the exact class or package name must be configured, e.g "java.util.Map" or "java.util". Package matches include sub-packages. Default is to prevent none.

> [CVE-2016-4974] [Java Client] add whitelisting of trusted content for deserialization from ObjectMessage
> --------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-7323
>                 URL: https://issues.apache.org/jira/browse/QPID-7323
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Client
>            Reporter: Keith Wall
>            Assignee: Lorenz Quack
>             Fix For: qpid-java-6.0.4, qpid-java-6.1
>
>
> When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return.
> This improvement adds the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org