[ENTMQ-1484] Implementation of AMQ-6077 in Fuse 6.2.1 is incomplete - JBoss Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Done
Affects Version/s: JBoss A-MQ 6.2
Fix Version/s: JBoss A-MQ 6.3
Component/s: broker
Labels:
None
Environment:

JBoss A-MQ/Fuse 6.2.1 and earlier

Description

Some new features to control the deserialization of object messages were implemented in ActiveMQ 5.12 and 5.13 in the wake of CVE-2015-5254 .These include methods (setTrustedPackages(), etc) on the ActiveMQConnectionFactory and a JVM property SERIALIZABLE_PACKAGES, which set out to control which Java packages can be deserialized.These changes are logged in AMQ-6077. https://issues.apache.org/jira/browse/AMQ-6077We note that the use of the SERIALIZABLE_PACKAGES method has been implemented in Fuse 6.2.1, but that the methods setTrustedPackages(), etc., have not.

Gliffy Diagrams

Attachments

Issue Links

blocks

ENTMQ-1490 Better configuration of restricted classes for clients (Back port AMQ-6077)

Resolved

follows up on

ENTMQ-1183 Restrict classes that can be serialized in ObjectMessages

Resolved

Activity

People

Assignee:

Gary Tully

Reporter:

Kevin Boone

Tester:

Michal Toth

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

13/Jan/16 8:44 AM

Updated:

18/Nov/16 11:34 AM

Resolved:

21/Jan/16 8:41 AM