I am getting deserialization of untrusted data during checkmarx scan (which find security related vulnarabilities in code) in the onMessage() method which is taking JMS message:
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
public void onMessage(Message message) {
log.debug("Code Run Started - In Queue");
if (message instanceof ObjectMessage) {
ObjectMessage objMes = (ObjectMessage) message;
try {
ChangeOperationType changeOperation = null;
changeOperation = (ChangeOperationType) objMes.getObject();
} catch (JMSException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
log.error("Message Type is incorrect (Not ChangeOperationType). ", e1);
}
try {
callBackEndpoint = message.getStringProperty(CRMCommonProcessing.CALLBACK_ENDPOINT_URI_PROPERTY);
} catch (JMSException e) {
log.error("CALLBACK ENDPOINT VALUE ERROR. ", e);
}
change(changeOperation);
} else {
log.error("WRONG MESSAGE TYPE GIVEN");
}
log.debug("Code Run Complete - In Queue");
}
Any fix or resolution for the issue?
ObjectMessageobjects, which you are using in youronMessage()method, depend on Java serialization to marshal and unmarshal their object payload. This process is generally considered unsafe, because a malicious payload can exploit the host system. Lots of CVEs have been created for this. For this reason, most JMS providers force users to explicitly whitelist packages that can be exchanged usingObjectMessagemessages. For example, here's the related documentation for ActiveMQ Artemis.There is no magic code fix for this issue that will eliminate the warning from checkmarx aside from removing the use of
ObjectMessagefrom your code altogether (which is what I would actually recommend). If possible, define a data representation for the payload (JSON, protobuf, XML) and use ajavax.jms.TextMessageorjavax.jms.BytesMessageto carry it.There are a number of other issues with use JMS
ObjectMessagenot related to security that you should read about as well.