This is an automated email from the ASF dual-hosted git repository.
mattrpav pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push:
new f6404d47cf [#] Questions answered for THREAD_MODEL.md
f6404d47cf is described below
commit f6404d47cf6e9bedaa31743ec9bc5c6f0f721221
Author: Matt Pavlovich <[email protected]>
AuthorDate: Thu Jul 9 10:40:10 2026 -0500
[#] Questions answered for THREAD_MODEL.md
---
SECURITY.md | 4 ++++
THREAT_MODEL.md | 46 +++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/SECURITY.md b/SECURITY.md
index 2e946cb293..ff84663a66 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -63,6 +63,10 @@ Users are expected to secure their environments
12. Specify maxUncommittedCount (Broker) and maxDestinations (PolicyEntry) to
prevent DoS attacks.
+13. Administrators are expected to change the default password (and optionally
the default 'admin' user id)
+
+=======
+
## ActiveMQ Security Improvement Project
The Apache ActiveMQ team has initiated a security hardening project to move
from a default configuration that is geared for developer testing and learning
to a secured-by-default stance.
diff --git a/THREAT_MODEL.md b/THREAT_MODEL.md
index 318bd66243..163cd50af9 100644
--- a/THREAT_MODEL.md
+++ b/THREAT_MODEL.md
@@ -569,8 +569,16 @@ strike, and names where the answer lands. Grouped in waves.
convenience, not a production posture), so findings there are
`OUT-OF-MODEL`. Is the `admin/admin` credential specifically in that bucket,
or do you consider a shipped default credential a `VALID-HARDENING` item?
+
+ > Users are expected to reset password. The use of admin/admin default
+ > credentials is to provide a working out-of-the-box developer and
+ > administrator experience.
+
2. *(→ §3)* We put third-party JAAS back-ends, LDAP/JDBC servers, and the
JVM/TLS stack **out of model** (our *use* of them stays in). Correct?
+
+ > Correct, ActiveMQ is a consumer of those systems.
+
3. *(→ §4, §7, §11)* We state the primary trust boundary is the transport
connector and the primary adversary is a network client reaching an
**enabled** connector on an **auth-configured** broker (plus a
@@ -578,6 +586,8 @@ strike, and names where the answer lands. Grouped in waves.
framing and that "exposing a connector to the internet unauthenticated" is a
§11 misuse, not a broker defect.
+ > Correct.
+
**Wave 2 — management plane & storage (reshapes §4, §5, §8, §9):**
4. *(→ §4, §8, §9)* We model the web console (Jetty, `:8161`), Jolokia, and JMX
@@ -587,19 +597,38 @@ strike, and names where the answer lands. Grouped in
waves.
bind to `0.0.0.0` or localhost? is Jolokia exposed by default?). Please
confirm the default authentication state and bind address of the management
surfaces.
+
+ > Jetty and Jolokia are configured to only listen on localhost (127.0.0.1)
+ > by default and are configured to require authentication and authorization.
+
5. *(→ §4, §5, §7, §8)* We assume the KahaDB directory, JDBC store, keystores,
and credential files are **trusted storage** with the broker as exclusive
writer, and that a local-filesystem attacker is out of scope. Confirm; and
confirm that message durability/integrity (§8 #7) is a correctness — not a
confidentiality/authz — guarantee.
+
+ > Correct.
+
6. *(→ §5)* We assume a conformant JVM, correct system clock, and correctly
configured TLS trust store as environmental preconditions. Anything else
load-bearing (specific JDK floor per line, RMI/JMX assumptions)?
+
+ > Non-localhost network access to RMI/JMX must be secured as an
+ > environmental pre-condition. ActiveMQ does not have the ability to
+ > control IP filtering, rate limiting or request limits of RMI/JMX
+ > operations.
+
7. *(→ §5)* Our "what the broker does to the host" inventory says it opens
listening + outbound sockets, owns its KahaDB dir, reads `ACTIVEMQ_OPTS`,
and starts JMX/Jetty when enabled — and makes **no** no-side-effects
promise. Is that inventory complete and correct?
+ > Yes. Administrators are responsible to ensure proper system sizing and
+ > configuration to meet the expected workload. Running out of file
descriptors,
+ > using too much memory due to high thread counts or running out of disk
+ > space through normal broker operations is not a DoS, but a
misconfiguration
+ > of system sizing to the workload.
+
**Wave 3 — resource bounds, peers, deserialization edges (reshapes §6, §8,
§9):**
8. *(→ §5a, §6)* Is the resource-bound set we list (`maxUncommittedCount`,
@@ -608,18 +637,33 @@ strike, and names where the answer lands. Grouped in
waves.
must set to make DoS in-model, or are there others (per-destination limits,
connection-rate limits)? And is "breach of a *configured* bound" the correct
line for `VALID` vs `BY-DESIGN`?
+
+ > Add 'maximumProducersAllowedPerConnection' and
+ > 'maximumConsumersAllowedPerConnection'. Per-destination limits are needed
+ > for a shared, multi-tenant, or for traffic shaping to settle down noisy
+ > neighbors. Valid application traffic causing noisy-neighbor disruption
+ > to other applications is not a valid security report for degrading
service.
+
9. *(→ §2, §7, §8, §10)* We model a network-of-brokers peer as
**authenticated-but-adversarial** and expect operators to authenticate/scope
the link. Do you provide any safety guarantee across a broker link (e.g.
forwarded-message authorization), or is a compromised/malicious peer wholly
the operator's trust decision?
+
+ > Yes, compromised/malicious peer is the operator's trust decision.
+ >
+ > Peer connections are authenticated and authorized with two-way TLS being
+ > the recommended security method. Messages cannot be forwarded unless the
+ > peer is authenticated and authorized to the destinations.
+
10. *(→ §9)* We frame `SERIALIZABLE_PACKAGES` as a **package-level gate, not a
gadget-chain guarantee** — an allow-listed package containing a gadget is
the operator's risk, and only an allow-list *bypass* (a class outside the
list getting deserialized) is `VALID`. Confirm this is the right line, and
confirm the default trusted-package list is considered gadget-safe by the
project.
-
+
+ > Correct
---
*End of v0 draft. Provenance counts and every §14 answer should be folded back
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact