Allowlisting in IBM MQ classes for JMS

Java object serialization and deserialization mechanism has been identified as a potential security risk. Allowlisting in IBM® MQ classes for JMS provides some protection against some serialization risks.

Note: Wherever possible, the term allowlist has replaced the term whitelist.

The Java object serialization and deserialization mechanism has been identified as a potential security risk because deserialization instantiates arbitrary Java objects, where there is the potential for maliciously sent data to cause various problems. One notable application of serialization is in Java Message Service (JMS) ObjectMessages that use serialization to encapsulate and transfer arbitrary objects.

Serialization allowlisting is a potential mitigation against some of the risks that serialization poses. By explicitly specifying which classes can be encapsulated in, and extracted from, ObjectMessages, allowlisting provides some protection against some serialization risks.

Allowlisting in IBM MQ classes for JMS

See:

Allowlisting concepts for an overview of allowlisting
Setting up and using a JMS allowlist for information on how you setup an allowlist
Allowlisting in WebSphere Application Server for information on how you setup an allowlist in WebSphere Application Server.