Checkmarx error: Deserialization of untrusted data

Elbow code picture Elbow code · Nov 28, 2019 · Viewed 7.8k times · Source

I am getting deserialization of untrusted data during checkmarx scan (which find security related vulnarabilities in code) in the onMessage() method which is taking JMS message:

@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
public void onMessage(Message message) {
    log.debug("Code Run Started - In Queue");
    if (message instanceof ObjectMessage) {
        ObjectMessage objMes = (ObjectMessage) message;
        try {
            ChangeOperationType changeOperation = null;
            changeOperation = (ChangeOperationType) objMes.getObject();
        } catch (JMSException e1) {
            // TODO Auto-generated catch block
            e1.printStackTrace();
            log.error("Message Type is incorrect (Not ChangeOperationType). ", e1);
        }
        try {
            callBackEndpoint = message.getStringProperty(CRMCommonProcessing.CALLBACK_ENDPOINT_URI_PROPERTY);
        } catch (JMSException e) {
            log.error("CALLBACK ENDPOINT VALUE ERROR. ", e);
        }
        change(changeOperation);
    } else {
        log.error("WRONG MESSAGE TYPE GIVEN");
    }
    log.debug("Code Run Complete - In Queue");
}

Any fix or resolution for the issue?

Answer

Justin Bertram picture Justin Bertram · Nov 28, 2019

ObjectMessage objects, which you are using in your onMessage() method, depend on Java serialization to marshal and unmarshal their object payload. This process is generally considered unsafe, because a malicious payload can exploit the host system. Lots of CVEs have been created for this. For this reason, most JMS providers force users to explicitly whitelist packages that can be exchanged using ObjectMessage messages. For example, here's the related documentation for ActiveMQ Artemis.

There is no magic code fix for this issue that will eliminate the warning from checkmarx aside from removing the use of ObjectMessage from your code altogether (which is what I would actually recommend). If possible, define a data representation for the payload (JSON, protobuf, XML) and use a javax.jms.TextMessage or javax.jms.BytesMessage to carry it.

There are a number of other issues with use JMS ObjectMessage not related to security that you should read about as well.