JMS ObjectMessage getObject() method disabled

Flashes (Alerts)

Abstract

Issue with serializing JMS ObjectMessage objects has resulted in a product behavior change.

Content

MessageSight has disabled the ability to make JMS ObjectMessage getObject() method calls in the latest release because of a known issue (CVE-2015-0375) in Java with deserializing ObjectMessage objects from untrusted sources. The MessageSight JMS Client will not allow use of this method by default unless the object contained is null or empty. If a user requires access to object messages, they can set the following system property:

ImaEnforceObjectMessageSecurity=false

to disable this safeguard. However, if this safeguard is disabled, one must make sure that the ObjectMessage input comes from a trusted source.

If one does call the getObject() method without setting the above system property, a JmsSecurityException will be returned along with the following error:

CWLNC0077: A call to getObject() on an ObjectMessage failed because this method is disabled by default for security purposes.

[{"Product":{"code":"SSCGGQ","label":"IBM MessageSight"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.1;1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

JMS ObjectMessage getObject() method disabled

Flashes (Alerts)

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?