>From what I can tell the XStream jar isn't even on the broker's classpath by default. You must explicitly move it from the lib/optional directory into lib. Have you done that? If not, then you should be safe from any security issues. XStream is (potentially) used for message transformation, not the web console.
How are blacklists and whitelists related to this issue? Justin On Tue, May 4, 2021 at 1:33 PM Jackson, Douglas < douglas.s.jack...@siemens.com> wrote: > Hi! > We are wondering the extent of the danger from the usage of xstream in > ActiveMQ prior to 5.16. > > Is it related only to the ActiveMQ web console? > Does ActiveMQ use blacklists or whitelists? > > Is there a way to avoid the security issues posed by the usage of xstream > while using the versions of ActiveMQ in which xstream is used? > -Doug > >
