Details
-
Bug
-
Resolution: Done
-
Major
-
JBoss A-MQ 6.2
-
None
Description
Some new features to control the deserialization of object messages were implemented in ActiveMQ 5.12 and 5.13 in the wake of CVE-2015-5254 .These include methods (setTrustedPackages(), etc) on the ActiveMQConnectionFactory and a JVM property SERIALIZABLE_PACKAGES, which set out to control which Java packages can be deserialized.These changes are logged in AMQ-6077. https://issues.apache.org/jira/browse/AMQ-6077We note that the use of the SERIALIZABLE_PACKAGES method has been implemented in Fuse 6.2.1, but that the methods setTrustedPackages(), etc., have not.
Attachments
Issue Links
- blocks
-
ENTMQ-1490 Better configuration of restricted classes for clients (Back port AMQ-6077)
- Closed