[jira] [Commented] (AMQ-6013) Restrict classes that can be serialized in ObjectMessages

Sat, 05 Dec 2015 04:57:02 -0800 

    [ 
https://issues.apache.org/jira/browse/AMQ-6013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15043298#comment-15043298
 ] 

Moritz Bechler commented on AMQ-6013:
-------------------------------------

Btw, you might want to have a look at your own 
org.apache.activemq.web.WebClient (as this is still on the whitelist). Have not 
checked under which conditition the static factory gets initialized exactly (it 
seems to be for the web console), but one can certainly do some mischief (I'd 
say mainly DOS) if it is.

I'd also suggest that you announce this change in a much more prominent way 
(maybe even get a CVE for it), as it both has very serious security 
implications if it goes unpatched and also very well might break some peoples 
code. And you should also make it very clear that one should be very careful 
what to add to the whitelist.

To answer Brett (as a third party):
Java deserialization on not completely trusted input is inherently dangerous. 
The amount of code reachable by just deseralizing some input is insane. There 
are many instances where developers are careless (or even simply don't care) 
what can be done with their deserialization routines (also there can be nasty 
interactions between different pieces of code) and the default deserialization 
routine allows one to use anything you have on your classpath. We have seen 
three major libraries contain code that leads to remote arbitrary code 
execution. And there are more to come.
Imho, we really need to either fix the primitive or drop it from all the specs 
that are/allow using it in potentially dangerous way.

> Restrict classes that can be serialized in ObjectMessages
> ---------------------------------------------------------
>
>                 Key: AMQ-6013
>                 URL: https://issues.apache.org/jira/browse/AMQ-6013
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.12.0
>            Reporter: Dejan Bosanac
>            Assignee: Dejan Bosanac
>             Fix For: 5.11.3, 5.13.0
>
>
> At some points we do (de)serialization of JMS Object messages inside the 
> broker (HTTP, Stomp, Web Console, ...). We need to restrict classes that can 
> be serialized in this way.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to