Hello Doug- The stream usage is optional and you can see the full extent of where it is used by ActiveMQ using this query:
https://github.com/apache/activemq/search?p=4&q=xstream <https://github.com/apache/activemq/search?p=4&q=xstream> Several components perform checks to ensure they do not deserialize xstream classes. Much of the usage is in http and stomp transports for translating map and object message types. -Matt > On May 4, 2021, at 1:32 PM, Jackson, Douglas <douglas.s.jack...@siemens.com> > wrote: > > Hi! > We are wondering the extent of the danger from the usage of xstream in > ActiveMQ prior to 5.16. > > Is it related only to the ActiveMQ web console? > Does ActiveMQ use blacklists or whitelists? > > Is there a way to avoid the security issues posed by the usage of xstream > while using the versions of ActiveMQ in which xstream is used? > -Doug >
