When applications call getObject() on a consumed JMS ObjectMessage they are
subject to the behaviour of any object deserialization during the process
of constructing the body to return. Unless the application has taken outside
steps to limit the deserialization process, they can't protect against
input that might try to make undesired use of classes available on the
application classpath that might be vulnerable to exploitation.
This issue affects the versions of qpid-java as shipped with Red Hat MRG 2.x and 3.x. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.