Author: buildbot
Date: Tue Mar 15 10:09:21 2016
New Revision: 982837
Log:
Staging update by buildbot for tomee
Modified:
websites/staging/tomee/trunk/cgi-bin/ (props changed)
websites/staging/tomee/trunk/content/ (props changed)
websites/staging/tomee/trunk/content/ejbd-transport.html
websites/staging/tomee/trunk/content/properties-listing.html
websites/staging/tomee/trunk/content/security/tomee.html
Propchange: websites/staging/tomee/trunk/cgi-bin/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Mar 15 10:09:21 2016
@@ -1 +1 @@
-1735025
+1735051
Propchange: websites/staging/tomee/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Mar 15 10:09:21 2016
@@ -1 +1 @@
-1735025
+1735051
Modified: websites/staging/tomee/trunk/content/ejbd-transport.html
==============================================================================
--- websites/staging/tomee/trunk/content/ejbd-transport.html (original)
+++ websites/staging/tomee/trunk/content/ejbd-transport.html Tue Mar 15
10:09:21 2016
@@ -172,7 +172,7 @@ using the "activated" init parameter of
<p>Finally you can move this servlet in your own webapp if you want to use a
provider url
containing your webapp context. Simply copy paste the servlet definition in
your web.xml
and set the url mapping to what you want (let say /foo/*). Then use the
provider url
-http://<host>:<port>/<webapp context name&lgt;/foo</p>
+http://<host>:<port>/<webapp context name>/foo</p>
<h3>Remote communication and serialization</h3>
@@ -223,6 +223,21 @@ tomee.serialization.class.blacklist = -
tomee.serialization.class.blacklist = foo.Bar
</code></pre>
+<h4>Revert to behavior of TomEE 1.7.3</h4>
+
+<p>You can configure these properties so that the Ejbd transport will behave
in the same way it did with TomEE 1.7.3:</p>
+
+<pre><code>tomee.serialization.class.whitelist =
+tomee.serialization.class.blacklist =
org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process
+</code></pre>
+
+<p>Please note that with this configuration your server is vulnerable to Java
serialization attacks again in particular when the system is exposed to the
internet.</p>
+
+<p>As Ejbd transport is tunneled over HTTP please make sure that the
<code>ServerServlet</code> is not publicly accessible.
+When the applications running on TomEE do not package the
<code>ServerServlet</code> themselves ensure that the URL
http://<host>:<port>/tomee/ejb is not accessible from untrusted
sources.</p>
+
+<p>If your applications package declare it in their own web.xml make sure that
the respective URL is not accessible from untrusted sources.</p>
+
<h4>Remote communication and Arquillian tests</h4>
<p>The mechanism described above principally also works when running
Arquillian tests.
Modified: websites/staging/tomee/trunk/content/properties-listing.html
==============================================================================
--- websites/staging/tomee/trunk/content/properties-listing.html (original)
+++ websites/staging/tomee/trunk/content/properties-listing.html Tue Mar 15
10:09:21 2016
@@ -193,8 +193,8 @@
<tr><td>openejb.log.color</td><td> bool </td><td> activate or not the color in
the console in embedded mode </td></tr>
<tr><td>openejb.log.color.<level in lowercase></td><td> color in
uppercase </td><td> set a color
for a particular level. Color are BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA,
CYAN, WHITE, DEFAULT. </td></tr>
-<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default
list of packages/classnames excluded for EJBd deserialization (needs to be set
on server and client sides)</td></tr>
-<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default
list of packages/classnames allowed for EJBd deserialization (blacklist wins
over whitelist, needs to be set on server and client sides)</td></tr>
+<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default
list of packages/classnames excluded for EJBd deserialization (needs to be set
on server and client sides). Please see the description of [Ejbd
Transport](ejbd-transport.html) for details.</td></tr>
+<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default
list of packages/classnames allowed for EJBd deserialization (blacklist wins
over whitelist, needs to be set on server and client sides). Please see the
description of [Ejbd Transport](ejbd-transport.html) for details.</td></tr>
<tr><td>tomee.remote.support</td><td> boolean </td><td> if true /tomee webapp
is auto-deployed and EJBd is active (true by default for 1.x, false for 7.x
excepted for tomee maven plugin and arquillian)</td></tr>
</table>
Modified: websites/staging/tomee/trunk/content/security/tomee.html
==============================================================================
--- websites/staging/tomee/trunk/content/security/tomee.html (original)
+++ websites/staging/tomee/trunk/content/security/tomee.html Tue Mar 15
10:09:21 2016
@@ -172,10 +172,10 @@ that even if fixed in 7.0.0-M2 we recomm
<p>This issue only affects you if you rely on EJBd protocol (proprietary
remote EJB protocol). This one one is not activated by default on the 7.x series
but it was on the 1.x ones.</p>
-<p>The related CVE number is <em>CVE-2016-0779</em>: the EJBd protocol
provided by TomEE can exploit the 0-day vulnerability.
+<p>The related CVE number is <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779";>CVE-2016-0779</a>:
the EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.</p>
-<p>Check <a href="/properties-listing.html">properties configuration</a> for
more details (tomee.serialization.class.* and tomee.remote.support).</p>
+<p>Check <a href="/properties-listing.html">properties configuration</a> and
<a href="/ejbd-transport.html">Ejbd transport</a> for more details
(tomee.serialization.class.* and tomee.remote.support).</p>
<h3>Credit</h3>
