Allowlisting in IBM MQ classes for JMS/Jakarta Messaging

The Java object serialization and deserialization mechanism has been identified as a potential security risk because deserialization instantiates arbitrary Java objects, where there is the potential for maliciously sent data to cause various problems. One notable application of serialization is in Jakarta Messaging 3.0 and Java Message Service 2.0 ObjectMessages that use serialization to encapsulate and transfer arbitrary objects.

Serialization allowlisting is a potential mitigation against some of the risks that serialization poses. By explicitly specifying which classes can be encapsulated in, and extracted from, ObjectMessages, allowlisting provides some protection against some serialization risks.