Uploaded image for project: 'JBoss A-MQ'
  1. JBoss A-MQ
  2. ENTMQ-1484

Implementation of AMQ-6077 in Fuse 6.2.1 is incomplete

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: JBoss A-MQ 6.2
    • Fix Version/s: JBoss A-MQ 6.3
    • Component/s: broker
    • Labels:
      None
    • Environment:

      JBoss A-MQ/Fuse 6.2.1 and earlier

      Description

      Some new features to control the deserialization of object messages were implemented in ActiveMQ 5.12 and 5.13 in the wake of CVE-2015-5254 .These include methods (setTrustedPackages(), etc) on the ActiveMQConnectionFactory and a JVM property SERIALIZABLE_PACKAGES, which set out to control which Java packages can be deserialized.These changes are logged in AMQ-6077. https://issues.apache.org/jira/browse/AMQ-6077We note that the use of the SERIALIZABLE_PACKAGES method has been implemented in Fuse 6.2.1, but that the methods setTrustedPackages(), etc., have not.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  garytully Gary Tully
                  Reporter:
                  kboone Kevin Boone
                  Tester:
                  Michal Toth
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: