Author: rmannibucau Date: Tue Mar 15 10:08:06 2016 New Revision: 1735051 URL: http://svn.apache.org/viewvc?rev=1735051&view=rev Log: TOMEE-1733 Robert Panzer updates on the doc on how to go back on 1.7.3 behavior with ejbd serialization config
Modified: tomee/site/trunk/content/ejbd-transport.mdtext tomee/site/trunk/content/properties-listing.mdtext tomee/site/trunk/content/security/tomee.mdtext Modified: tomee/site/trunk/content/ejbd-transport.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/ejbd-transport.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff ============================================================================== --- tomee/site/trunk/content/ejbd-transport.mdtext (original) +++ tomee/site/trunk/content/ejbd-transport.mdtext Tue Mar 15 10:08:06 2016 @@ -29,7 +29,7 @@ using the "activated" init parameter of Finally you can move this servlet in your own webapp if you want to use a provider url containing your webapp context. Simply copy paste the servlet definition in your web.xml and set the url mapping to what you want (let say /foo/*). Then use the provider url -http://<host>:<port>/<webapp context name&lgt;/foo +http://<host>:<port>/<webapp context name>/foo ### Remote communication and serialization @@ -74,6 +74,20 @@ If you trust all classes in the package tomee.serialization.class.whitelist = foo. tomee.serialization.class.blacklist = foo.Bar +#### Revert to behavior of TomEE 1.7.3 + +You can configure these properties so that the Ejbd transport will behave in the same way it did with TomEE 1.7.3: + + tomee.serialization.class.whitelist = + tomee.serialization.class.blacklist = org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process + +Please note that with this configuration your server is vulnerable to Java serialization attacks again in particular when the system is exposed to the internet. + +As Ejbd transport is tunneled over HTTP please make sure that the `ServerServlet` is not publicly accessible. +When the applications running on TomEE do not package the `ServerServlet` themselves ensure that the URL http://<host>:<port>/tomee/ejb is not accessible from untrusted sources. + +If your applications package declare it in their own web.xml make sure that the respective URL is not accessible from untrusted sources. + #### Remote communication and Arquillian tests The mechanism described above principally also works when running Arquillian tests. Modified: tomee/site/trunk/content/properties-listing.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/properties-listing.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff ============================================================================== --- tomee/site/trunk/content/properties-listing.mdtext (original) +++ tomee/site/trunk/content/properties-listing.mdtext Tue Mar 15 10:08:06 2016 @@ -49,8 +49,8 @@ Title: System Properties Listing <tr><td>openejb.log.color</td><td> bool </td><td> activate or not the color in the console in embedded mode </td></tr> <tr><td>openejb.log.color.<level in lowercase></td><td> color in uppercase </td><td> set a color for a particular level. Color are BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE, DEFAULT. </td></tr> -<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default list of packages/classnames excluded for EJBd deserialization (needs to be set on server and client sides)</td></tr> -<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default list of packages/classnames allowed for EJBd deserialization (blacklist wins over whitelist, needs to be set on server and client sides)</td></tr> +<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default list of packages/classnames excluded for EJBd deserialization (needs to be set on server and client sides). Please see the description of [Ejbd Transport](ejbd-transport.html) for details.</td></tr> +<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default list of packages/classnames allowed for EJBd deserialization (blacklist wins over whitelist, needs to be set on server and client sides). Please see the description of [Ejbd Transport](ejbd-transport.html) for details.</td></tr> <tr><td>tomee.remote.support</td><td> boolean </td><td> if true /tomee webapp is auto-deployed and EJBd is active (true by default for 1.x, false for 7.x excepted for tomee maven plugin and arquillian)</td></tr> </table> Modified: tomee/site/trunk/content/security/tomee.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff ============================================================================== --- tomee/site/trunk/content/security/tomee.mdtext (original) +++ tomee/site/trunk/content/security/tomee.mdtext Tue Mar 15 10:08:06 2016 @@ -29,10 +29,10 @@ that even if fixed in 7.0.0-M2 we recomm This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series but it was on the 1.x ones. -The related CVE number is *CVE-2016-0779*: the EJBd protocol provided by TomEE can exploit the 0-day vulnerability. +The related CVE number is [CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): the EJBd protocol provided by TomEE can exploit the 0-day vulnerability. This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9. -Check [properties configuration](/properties-listing.html) for more details (tomee.serialization.class.* and tomee.remote.support). +Check [properties configuration](/properties-listing.html) and [Ejbd transport](/ejbd-transport.html) for more details (tomee.serialization.class.* and tomee.remote.support). ### Credit