Unsafe Deserialization from JMS
Description
Deserialization of untrusted JMS ObjectMessage can lead to remote code execution. Avoid directly calling `getObject()` on untrusted data.
Examples
Insecure Code
java
ObjectMessage objMsg = (ObjectMessage) message; Object obj = objMsg.getObject();Secure Code
java
protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException {
if (!desc.getName().equals(Bicycle.class.getName())) {
throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
}
return super.resolveClass(desc);
}Remediation
Avoid deserialization of untrusted data. Use a class whitelist via a custom ObjectInputStream.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0504 |
| Category | Deserialization |
| Severity | HIGH |
| CWE | CWE-502 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | deserialization, jms, objectmessage |
| OWASP | A8:2017-Insecure Deserialization, A08:2021-Software and Data Integrity Failures |