On Sat, Dec 11, 2021 at 11:05 PM Sebastian Hennebrüder <use...@laliluna.de> wrote: > > Hi all, > > I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. > Actually the Java path version is not relevant. > > It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded. > > If your server can reach arbitrary servers on the Internet, you can execute > random code in the shell. > > The attack is not using RMI remote class loading but uses Tomcats BeanFactory > to create an ELExpression library. As the BeanFactory has features to > manipulate instantiated classes, it can inject a Script. In plain Java > application this would still be blocked by RMI class loading but Tomcat > circumvents this. > > The attack is explained in 2019 by > https://www.veracode.com/blog/research/exploiting-jndi-injections-java
Also, another person already thought about digging this up (even before we were aware of the log4j problem): https://bz.apache.org/bugzilla/show_bug.cgi?id=65736 Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org