Uploaded image for project: 'Qpid JMS'
  1. Qpid JMS
  2. QPIDJMS-188

[CVE-2016-4974] allow whitelisting trusted classes/packages for deserialization from ObjectMessage

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.9.0
    • 0.10.0
    • qpid-jms-client
    • None

    Description

      When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return.

      This improvement adds the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            tabish Timothy A. Bish
            tabish Timothy A. Bish
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment