Hi Claus, I implemented a fix for this in https://issues.apache.org/jira/browse/AMQ-6077. If you can give it a look and see if anything else is missing, it would greatly appreciated.
Here are the proposed changes to the Camel once we have 5.13.1 release https://github.com/dejanb/camel/commit/6c942f4bac18ab84c76411515d1e87caaf7705a4 BTW. We should change version of the current master to 5.14-SNAPSHOT now that 5.13.0 is out. Regards -- Dejan Bosanac about.me/dejanb On Mon, Dec 7, 2015 at 2:39 PM, Daniel Kulp <[email protected]> wrote: > > > On Dec 7, 2015, at 8:16 AM, Claus Ibsen <[email protected]> wrote: > > > > Also if the java class name is in a JMS header ( I think there is a > > standard for that, JMSType is it not?) maybe the client/server can use > > that out of the box to know at least packages from that class is okay > > to use. > > > Doesn’t that defeat the purpose though? I could craft a message that > contains “MyBadClass” and add that JMS header to say MyBadClass should be > allowed. MyBadClass is loaded and security problem. It really needs to be > something configured, not something part of the message. > > Dan > > > > > > > > On Mon, Dec 7, 2015 at 2:15 PM, Claus Ibsen <[email protected]> > wrote: > >> Hi > >> > >> Thanks. > >> > >> Yeah this must be easier from client pov. Having to set a JVM system > >> property is sometimes hard for people, eg they deploy to an existing > >> running app server which they cannot restart. > >> > >> And then they need to add some code hack to set the system property > >> from their java app before AMQ bootstrap. > >> > >> Looking forward to a 5.13.1 release. Hopefully with a nice and easy > >> way for clients, and a speedy release so users can upgrade more > >> easily. > >> > >> > >> > >> On Mon, Dec 7, 2015 at 1:52 PM, Dejan Bosanac <[email protected]> > wrote: > >>> Hi Claus, > >>> > >>> here’s the test fix for the current implementation > >>> > https://github.com/dejanb/camel/commit/138186ffa40381c8c082d69917cbb29181ab4abc > >>> > >>> The thing is that the same security issues can occur in the client > >>> applications, when folks call getObject() method, so I think it’s the > right > >>> approach for people to while-list only the packages they trust. > >>> > >>> I agree that we can improve user experience by making it easier to > >>> configure all this in the client apps. I think it might be good allow > easy > >>> configuration on the connection factory and using connection urls. I’ll > >>> raise a new Jira for that and we can deliver this in 5.13.1. If you > have > >>> any more concerns and ideas on how to improve this, please let me know. > >>> > >>> I’ll go ahead next and create more docs around this. > >>> > >>> > >>> Regards > >>> -- > >>> Dejan Bosanac > >>> about.me/dejanb > >>> > >>> On Mon, Dec 7, 2015 at 11:24 AM, Dejan Bosanac <[email protected]> > wrote: > >>> > >>>> I’ll give it a try now. Thanks! > >>>> > >>>> Regards > >>>> -- > >>>> Dejan Bosanac > >>>> about.me/dejanb > >>>> > >>>> On Mon, Dec 7, 2015 at 11:16 AM, Claus Ibsen <[email protected]> > >>>> wrote: > >>>> > >>>>> Yes a number of test fails in camel-jms, if you test with 5.13.0. You > >>>>> can try yourself by changing the activemq-version in the > >>>>> parent/pom.xml. > >>>>> > >>>>> > >>>>> > >>>>> On Mon, Dec 7, 2015 at 11:04 AM, Dejan Bosanac <[email protected]> > >>>>> wrote: > >>>>>> Hi Claus, > >>>>>> > >>>>>> restrictions were necessary for the CVE that was reported. We’re > about > >>>>> to > >>>>>> disclose it fully now after the release. > >>>>>> > >>>>>> AFAIK the change should not affect ObjectMessages in general, just > the > >>>>>> cases where those objects are serialized/unserialized inside of the > >>>>> broker, > >>>>>> like web console or stomp transformations. I’ll create a proper > docs for > >>>>>> the change now and the security aspect of it and we can see later > whet > >>>>> else > >>>>>> we can do to improve the user experience. > >>>>>> > >>>>>> Are there any Camel related tests that fails due to this change? I > can > >>>>> take > >>>>>> a look at that as well. > >>>>>> > >>>>>> > >>>>>> Regards > >>>>>> -- > >>>>>> Dejan Bosanac > >>>>>> about.me/dejanb > >>>>>> > >>>>>> On Sat, Dec 5, 2015 at 11:19 AM, Claus Ibsen <[email protected] > > > >>>>> wrote: > >>>>>> > >>>>>>> I really think you guys should add something about those object > >>>>>>> serialization resitrcitions. Any end users that uses java objects > over > >>>>>>> JMS is affected. Nothing works anymore. > >>>>>>> > >>>>>>> Its because of > >>>>>>> https://issues.apache.org/jira/browse/AMQ-6013 > >>>>>>> > >>>>>>> So there should be some text in the release notes, and ideally AMQ > >>>>>>> broker / client should have some kind of INFO logging that openwire > >>>>>>> with objects is restricted or not. Otherwise its even harder for > end > >>>>>>> users to spot what is going on. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> On Fri, Dec 4, 2015 at 3:57 PM, Timothy Bish <[email protected]> > >>>>> wrote: > >>>>>>>> It's probably a good idea to add a new page in the "New Features" > >>>>> section > >>>>>>>> on the site to cover the additions in 5.13.0. I know you added > the > >>>>>>> 'auto' > >>>>>>>> transport along with some other work for some additional metrics > >>>>> etc, all > >>>>>>>> good things that would be nice to advertise a bit. > >>>>>>>> > >>>>>>>> See: http://activemq.apache.org/new-features.html > >>>>>>>> > >>>>>>>> On Thu, Dec 3, 2015 at 3:51 PM, Christopher Shannon < > >>>>>>>> [email protected]> wrote: > >>>>>>>> > >>>>>>>>> Hi everyone, > >>>>>>>>> > >>>>>>>>> Apache ActiveMQ 5.13.0 has now been released. > >>>>>>>>> > >>>>>>>>> This release contains a number of resolved issues and new > features > >>>>> since > >>>>>>>>> the 5.12.1 release. > >>>>>>>>> > >>>>>>>>> A list of issues resolved in this release is available here: > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12329848 > >>>>>>>>> > >>>>>>>>> The Wiki page for the release is here: > >>>>>>>>> http://activemq.apache.org/activemq-5130-release.html > >>>>>>>>> > >>>>>>>>> API documentation for 5.12.1 is located here: > >>>>>>>>> http://activemq.apache.org/maven/5.13.0/apidocs/index.html > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> -- > >>>>>>>> -- > >>>>>>>> Tim Bish > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Claus Ibsen > >>>>>>> ----------------- > >>>>>>> http://davsclaus.com @davsclaus > >>>>>>> Camel in Action 2: https://www.manning.com/ibsen2 > >>>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Claus Ibsen > >>>>> ----------------- > >>>>> http://davsclaus.com @davsclaus > >>>>> Camel in Action 2: https://www.manning.com/ibsen2 > >>>>> > >>>> > >>>> > >> > >> > >> > >> -- > >> Claus Ibsen > >> ----------------- > >> http://davsclaus.com @davsclaus > >> Camel in Action 2: https://www.manning.com/ibsen2 > > > > > > > > -- > > Claus Ibsen > > ----------------- > > http://davsclaus.com @davsclaus > > Camel in Action 2: https://www.manning.com/ibsen2 > > -- > Daniel Kulp > [email protected] - http://dankulp.com/blog > Talend Community Coder - http://coders.talend.com > >
