Hi Pete,

On 17.06.20 23:44, Pete Helgren wrote:
> I am going to guess that it is one of these two known vulnerabilities:
> CST-7111: RCE via JSON deserialization (LPS-88051/LPE-165981)
> The JSONDeserializer of Flexjson allows the instantiation of arbitrary
> classes and the invocation of arbitrary setter methods.
> CST-7205: Unauthenticated Remote code execution via JSONWS
> (LPS-97029/CVE-2020-7961)
> The JSONWebServiceActionParametersMap of Liferay Portal allows the
> instantiation of arbitrary classes and invocation of arbitrary setter
> methods.
> Found the signature in the logs and it's pretty clear that that is
> what we are up against.  However, if something else comes to mind,
> feel free to post back.  I  did come across a couple of other posts
> where the OP said there was nothing but Tomcat and they also ended up
> with the miner.
> I have some updating to do....
Correct analysis.

What you need is this update

And while you're at it: There has been another patch published this



To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to