About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Flashes (Alerts)
Abstract
Issue with serializing JMS ObjectMessage objects has resulted in a product behavior change.
Content
MessageSight has disabled the ability to make JMS ObjectMessage getObject() method calls in the latest release because of a known issue (CVE-2015-0375) in Java with deserializing ObjectMessage objects from untrusted sources. The MessageSight JMS Client will not allow use of this method by default unless the object contained is null or empty. If a user requires access to object messages, they can set the following system property:
ImaEnforceObjectMessageSecurity=false
to disable this safeguard. However, if this safeguard is disabled, one must make sure that the ObjectMessage input comes from a trusted source.
If one does call the getObject() method without setting the above system property, a JmsSecurityException will be returned along with the following error:
CWLNC0077: A call to getObject() on an ObjectMessage failed because this method is disabled by default for security purposes.
[{"Product":{"code":"SSCGGQ","label":"IBM MessageSight"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1;1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
More support for:
IBM MessageSight
Software version:
1.1, 1.2
Document number:
282033
Modified date:
25 September 2022
UID
swg21985211