Author: rmannibucau
Date: Tue Mar 15 10:08:06 2016
New Revision: 1735051
URL: http://svn.apache.org/viewvc?rev=1735051&view=rev
Log:
TOMEE-1733 Robert Panzer updates on the doc on how to go back on 1.7.3 behavior
with ejbd serialization config
Modified:
tomee/site/trunk/content/ejbd-transport.mdtext
tomee/site/trunk/content/properties-listing.mdtext
tomee/site/trunk/content/security/tomee.mdtext
Modified: tomee/site/trunk/content/ejbd-transport.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/ejbd-transport.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff
==============================================================================
--- tomee/site/trunk/content/ejbd-transport.mdtext (original)
+++ tomee/site/trunk/content/ejbd-transport.mdtext Tue Mar 15 10:08:06 2016
@@ -29,7 +29,7 @@ using the "activated" init parameter of
Finally you can move this servlet in your own webapp if you want to use a
provider url
containing your webapp context. Simply copy paste the servlet definition in
your web.xml
and set the url mapping to what you want (let say /foo/*). Then use the
provider url
-http://<host>:<port>/<webapp context name&lgt;/foo
+http://<host>:<port>/<webapp context name>/foo
### Remote communication and serialization
@@ -74,6 +74,20 @@ If you trust all classes in the package
tomee.serialization.class.whitelist = foo.
tomee.serialization.class.blacklist = foo.Bar
+#### Revert to behavior of TomEE 1.7.3
+
+You can configure these properties so that the Ejbd transport will behave in
the same way it did with TomEE 1.7.3:
+
+ tomee.serialization.class.whitelist =
+ tomee.serialization.class.blacklist =
org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan,java.lang.Process
+
+Please note that with this configuration your server is vulnerable to Java
serialization attacks again in particular when the system is exposed to the
internet.
+
+As Ejbd transport is tunneled over HTTP please make sure that the
`ServerServlet` is not publicly accessible.
+When the applications running on TomEE do not package the `ServerServlet`
themselves ensure that the URL http://<host>:<port>/tomee/ejb is
not accessible from untrusted sources.
+
+If your applications package declare it in their own web.xml make sure that
the respective URL is not accessible from untrusted sources.
+
#### Remote communication and Arquillian tests
The mechanism described above principally also works when running Arquillian
tests.
Modified: tomee/site/trunk/content/properties-listing.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/properties-listing.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff
==============================================================================
--- tomee/site/trunk/content/properties-listing.mdtext (original)
+++ tomee/site/trunk/content/properties-listing.mdtext Tue Mar 15 10:08:06 2016
@@ -49,8 +49,8 @@ Title: System Properties Listing
<tr><td>openejb.log.color</td><td> bool </td><td> activate or not the color in
the console in embedded mode </td></tr>
<tr><td>openejb.log.color.<level in lowercase></td><td> color in
uppercase </td><td> set a color
for a particular level. Color are BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA,
CYAN, WHITE, DEFAULT. </td></tr>
-<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default
list of packages/classnames excluded for EJBd deserialization (needs to be set
on server and client sides)</td></tr>
-<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default
list of packages/classnames allowed for EJBd deserialization (blacklist wins
over whitelist, needs to be set on server and client sides)</td></tr>
+<tr><td>tomee.serialization.class.blacklist</td><td> string </td><td> default
list of packages/classnames excluded for EJBd deserialization (needs to be set
on server and client sides). Please see the description of [Ejbd
Transport](ejbd-transport.html) for details.</td></tr>
+<tr><td>tomee.serialization.class.whitelist</td><td> string </td><td> default
list of packages/classnames allowed for EJBd deserialization (blacklist wins
over whitelist, needs to be set on server and client sides). Please see the
description of [Ejbd Transport](ejbd-transport.html) for details.</td></tr>
<tr><td>tomee.remote.support</td><td> boolean </td><td> if true /tomee webapp
is auto-deployed and EJBd is active (true by default for 1.x, false for 7.x
excepted for tomee maven plugin and arquillian)</td></tr>
</table>
Modified: tomee/site/trunk/content/security/tomee.mdtext
URL:
http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1735051&r1=1735050&r2=1735051&view=diff
==============================================================================
--- tomee/site/trunk/content/security/tomee.mdtext (original)
+++ tomee/site/trunk/content/security/tomee.mdtext Tue Mar 15 10:08:06 2016
@@ -29,10 +29,10 @@ that even if fixed in 7.0.0-M2 we recomm
This issue only affects you if you rely on EJBd protocol (proprietary remote
EJB protocol). This one one is not activated by default on the 7.x series
but it was on the 1.x ones.
-The related CVE number is *CVE-2016-0779*: the EJBd protocol provided by TomEE
can exploit the 0-day vulnerability.
+The related CVE number is
[CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779):
the EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.
-Check [properties configuration](/properties-listing.html) for more details
(tomee.serialization.class.* and tomee.remote.support).
+Check [properties configuration](/properties-listing.html) and [Ejbd
transport](/ejbd-transport.html) for more details (tomee.serialization.class.*
and tomee.remote.support).
### Credit
