See https://github.com/rabbitmq/rabbitmq-jms-client/releases/tag/v1.6.0.
1.5.0 is a maintainence release that includes a fix
for CVE-2016-6194.
Classes that can be deserialized from javax.jms.ObjectMessage
now can be limited via a package prefix white list.
There are two ways to do it:
- Via the
com.rabbitmq.jms.TrustedPackagesPrefixesJVM property which accepts a comma separated list of prefixes, for example,java,com.rabbitmq,com.mycompany - Using
RMQConnectionFactory#setTrustedPackages,RMQConnection#setTrustedPackages, orRMQSession#setTrustedPackageswhich accept lists of package prefixes
All options take a list of package name prefixes, e.g. java will make all classes
in java.lang, java.util, and other packages starting with java trusted.
Deserialization attempt for untrusted classes will throw an exception.
GH issue: rabbitmq-jms-client#3.
This fixes CVE-2016-6194 (note: attacker must be authenticated
with RabbitMQ in order to carry out the attack).
This client now depends on RabbitMQ Java client 3.6.3.