You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Jason Shepherd (JIRA)" <ji...@apache.org> on 2016/03/24 01:43:25 UTC

[jira] [Created] (ARTEMIS-458) JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution

Jason Shepherd created ARTEMIS-458:
--------------------------------------

             Summary: JMSObjectMessage deserializes potentially malicious objects allowing Remote Code Execution
                 Key: ARTEMIS-458
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-458
             Project: ActiveMQ Artemis
          Issue Type: Bug
            Reporter: Jason Shepherd


We should define a whitelist of classes that need to be deserialized as part of an object message and allowers users to add their own.

Classes that probably need updating include: 
* /artemis-jms-client/src/main/java/org/apache/activemq/artemis/jms/client/ActiveMQObjectMessage.java
* ./artemis-ra/src/main/java/org/apache/activemq/artemis/ra/ActiveMQRAObjectMessage.java
* ./artemis-rest/src/main/java/org/apache/activemq/artemis/rest/queue/ConsumedObjectMessage.java

Another option might be to enable the security manager for artemis to restrict the module actions. This will depend on https://issues.jboss.org/browse/MODULES-236 being backported to EAP so that we can use environment variables in file paths for portibility.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)