activemq-messages-dequeud-but-not-consumed

ObjectMessage serialization security was the issue.


ObjectMessage objects depend on Java serialization of marshal/unmarshal object payload. This process is generally considered unsafe as malicious payload can exploit the host system. That's why starting with versions 5.12.2 and 5.13.0, ActiveMQ enforces users to explicitly whitelist packages that can be exchanged using ObjectMessages.


I saw this a few days ago and added a white list but it didn't fix the issue. I also tried running against AMQ 5.11.3 and it didn't work. Apparently they added the security feature to 5.11.3 too. Anyway, I added this (-Dorg.apache.activemq.SERIALIZABLE_PACKAGES="*") to the client side and AMQ vm arguments and now everything is working as it should.


Keep in mind that the command line option I used is a security vulnerability that I've explicitly opened in my broker, which can allow a malicious user to execute code on my system. The right way to use that flag is to explicitly list the classes you allow to be deserialized, or at most use package wildcards to avoid explicitly listing individual classes and subpackages in a trusted parent package.


你可能感兴趣的:(activemq-messages-dequeud-but-not-consumed)