ARTEMIS-6077 document threat model#6468
Open
jbertram wants to merge 1 commit into
Open
Conversation
brusdev
reviewed
May 27, 2026
| Security researchers, operators deploying Artemis in production, and application developers integrating with the broker should consult this model to understand the security contract. | ||
|
|
||
| Findings should be reported per link:https://artemis.apache.org/security-advisories[Artemis' security disclosure process]. | ||
| Findings that that fall under <<security-properties-provided, claimed properties>> will be accepted. |
Member
There was a problem hiding this comment.
Double that
Suggested change
| Findings that that fall under <<security-properties-provided, claimed properties>> will be accepted. | |
| Findings that fall under <<security-properties-provided, claimed properties>> will be accepted. |
|
|
||
| Security researchers, operators deploying Artemis in production, and application developers integrating with the broker should consult this model to understand the security contract. | ||
|
|
||
| Findings should be reported per link:https://artemis.apache.org/security-advisories[Artemis' security disclosure process]. |
Member
There was a problem hiding this comment.
Optional
Suggested change
| Findings should be reported per link:https://artemis.apache.org/security-advisories[Artemis' security disclosure process]. | |
| Findings should be reported according to the link:https://artemis.apache.org/security-advisories[Artemis' security disclosure process]. |
|
|
||
| Findings should be reported per link:https://artemis.apache.org/security-advisories[Artemis' security disclosure process]. | ||
| Findings that that fall under <<security-properties-provided, claimed properties>> will be accepted. | ||
| Findings that are <<out-of-scope,out of the scope>> or involve security properties <<security-properties-not-provided,explicitly not provided>> will be closed citing this document. |
Member
There was a problem hiding this comment.
The findings are rendered without new lines. Are those findings a list?
Contributor
Author
There was a problem hiding this comment.
It's not a list. It's just a paragraph.
| === Trust transitions | ||
|
|
||
| . *Messaging Client → Broker Core:* Messages from network clients (untrusted or authenticated) are parsed by protocol adapters and routed to the broker core. | ||
| Authentication happens at connection establishment; authorization happens per operation (send, consume, create queue, etc.). |
Member
There was a problem hiding this comment.
consume is a bit different: an authorized consumer can consume also after revoking the consume permissions: once the ServerConsumer object is created, no further authorization checks occur during message delivery and the consumer can continue consuming until it disconnects
|
|
||
| === Reachability preconditions per component | ||
|
|
||
| * *Protocol Adapters:* A finding is in-model only if reachable from network input on the corresponding protocol port without requiring authenticated management credentials. |
Member
There was a problem hiding this comment.
Does this exclude findings that lead to privilege escalations?
Contributor
Author
There was a problem hiding this comment.
No. It's just saying that if you have authenticated management credentials you are trusted and not considered adversarial.
|
|
||
| === Filesystem assumptions | ||
|
|
||
| * The broker assumes it has exclusive write access to its data directory (journal, paging, bindings). |
Member
There was a problem hiding this comment.
Showuld we also assume a restricted access to the etc directory?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I started this document using this skill which was recommended by Apache security. I heavily modified the output to simplify and clarify the result.
This model is relatively high-level. We can add more details as necessary over time to cover any gaps. The main priority here is to cover all the bases and provide researchers (and AI tools) a reference to avoid a glut of false positives.