Menu Search




Affected components

Qpid JMS

Affected versions

0.9.0 and earlier

Fixed versions

0.10.0 and later


Deserialization of untrusted input while using JMS ObjectMessage.

When applications call getObject() on a consumed JMS ObjectMessage they are subject to the behaviour of any object deserialization during the process of constructing the body to return. Unless the application has taken outside steps to limit the deserialization process, they can't protect against input that might try to make undesired use of classes available on the application classpath that might be vulnerable to exploitation. In order to exploit this vulnerability, an attacker would need to be able to inject a suitably crafted AMQP message containing the malicious JMS Object Message into the AMQP message network. For this, the attacker would require valid authentication credentials and suitable authorisation.


Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or later, and use the new configuration options to whitelist trusted content permitted for deserialization. When so configured, attempts to deserialize input containing other content will be prevented. Alternatively, users of older client releases may utilise other means such as agent-based approaches to help govern content permitted for deserialization in their application.


This issue was discovered by Matthias Kaiser of Code White (