Hmmm, So does Tomee expose any RMI end-points or use Java serialization anywhere at all?
The issue here is that if you deserialize *anything* and commons-collections ( / groovy / some other libs) is on the classpath that ObjectInputStream uses for class instantiation then somebody can deliver a payload that references those classes and compromises the running code. https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream Says there are 22 usages of ObjectInputStream, none of those appear to be doing class filtering https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54 Shows one way of implementing class filtering. https://www.youtube.com/watch?v=OWwOJlOI1nU On 26 November 2015 at 19:29, Romain Manni-Bucau <[email protected]> wrote: > Tomee code itself doesnt use commons collections for deserialisation. The > issue is however not limited to commons collection but tomee is not known > to be affected. > Le 26 nov. 2015 13:37, "Lukas Kohl" <[email protected]> a écrit : > > > Hello, > > A recent analysis by Foxglove Security has confirmed multiple zero day, > > remotely executable exploits, for Java applications that deserialize > > objects from untrusted network sources and use libraries such as Apache > > Commons Collections, Groovy or Spring. > > see --> > > > > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > > As Apache Commons Collections is included in OpenEJB, we need to know if > > it is affected by this vulnerability. > > If yes, please let us know what is your recommendation to prevent damage, > > and when will be a patch available. > > > > P.s.: Sorry for double post, but I am not sure if my first Mail reached > > the Mailinglist (missing subscription) > > > > Thanks! > > > > Kind Regards > > Lukas > > > > > > www.ergodirekt.de > > > > Blog: http://blog.ergodirekt.de > > Facebook: www.facebook.com/ERGODirekt > > Google+: www.google.com/+ergodirekt > > Twitter: www.twitter.com/ERGODirekt > > YouTube: www.youtube.com/ERGODirekt > > _______________________ > > > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · > > UST-ID-Nr. DE159593454 > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. > > DE159593438 > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · > > UST-ID-Nr. DE159593446 > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian > > Diedrich > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg > > Stoffels · Sitz: Fürth > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70 > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM >
