![]()
Allowlisting in IBM MQ classes for JMS
Java object serialization and deserialization mechanism has been identified as a potential security risk. Allowlisting in IBM MQ classes for JMS provides some protection against some serialization risks.
Note: Wherever possible, the term allowlist has replaced the term whitelist.The Java object serialization and deserialization mechanism has been identified as a potential security risk because deserialization instantiates arbitrary Java objects, where there is the potential for maliciously sent data to cause various problems. One notable application of serialization is in Java Message Service (JMS) ObjectMessages that use serialization to encapsulate and transfer arbitrary objects.
Serialization allowlisting is a potential mitigation against some of the risks that serialization poses. By explicitly specifying which classes can be encapsulated in, and extracted from, ObjectMessages, allowlisting provides some protection against some serialization risks.
Allowlisting in IBM MQ classes for JMS
See:
- Allowlisting concepts for an overview of allowlisting
- Set up and using a JMS allowlist for information on how you set up an allowlist
- Allowlisting in WebSphere Application Server for information on how you set up an allowlist in WebSphere Application Server.