Btw, you might want to have a look at your own org.apache.activemq.web.WebClient (as this is still on the whitelist). Have not checked under which conditition the static factory gets initialized exactly (it seems to be for the web console), but one can certainly do some mischief (I'd say mainly DOS) if it is.
I'd also suggest that you announce this change in a much more prominent way (maybe even get a CVE for it), as it both has very serious security implications if it goes unpatched and also very well might break some peoples code. And you should also make it very clear that one should be very careful what to add to the whitelist.
To answer Brett (as a third party):
Java deserialization on not completely trusted input is inherently dangerous. The amount of code reachable by just deseralizing some input is insane. There are many instances where developers are careless (or even simply don't care) what can be done with their deserialization routines (also there can be nasty interactions between different pieces of code) and the default deserialization routine allows one to use anything you have on your classpath. We have seen three major libraries contain code that leads to remote arbitrary code execution. And there are more to come.
Imho, we really need to either fix the primitive or drop it from all the specs that are/allow using it in potentially dangerous way.