there are few places (mainly one actually) but it is optional so a default instance shouldnt have any issue. That said you are right we need to fix the embedded ejbd code.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-11-27 11:35 GMT+01:00 Stephen Connolly <[email protected] >: > Hmmm, > > So does Tomee expose any RMI end-points or use Java serialization anywhere > at all? > > The issue here is that if you deserialize *anything* and > commons-collections ( / groovy / some other libs) is on the classpath that > ObjectInputStream uses for class instantiation then somebody can deliver a > payload that references those classes and compromises the running code. > > https://github.com/apache/openejb/search?utf8=%E2%9C%93&q=ObjectInputStream > > Says there are 22 usages of ObjectInputStream, none of those appear to be > doing class filtering > > > https://github.com/jenkinsci/remoting/blob/bfbcfb3282d98cda4de6c4f0deb9bcb03e3c5187/src/main/java/hudson/remoting/ObjectInputStreamEx.java#L54 > > Shows one way of implementing class filtering. > > https://www.youtube.com/watch?v=OWwOJlOI1nU > > On 26 November 2015 at 19:29, Romain Manni-Bucau <[email protected]> > wrote: > > > Tomee code itself doesnt use commons collections for deserialisation. The > > issue is however not limited to commons collection but tomee is not known > > to be affected. > > Le 26 nov. 2015 13:37, "Lukas Kohl" <[email protected]> a écrit : > > > > > Hello, > > > A recent analysis by Foxglove Security has confirmed multiple zero day, > > > remotely executable exploits, for Java applications that deserialize > > > objects from untrusted network sources and use libraries such as Apache > > > Commons Collections, Groovy or Spring. > > > see --> > > > > > > > > > http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ > > > As Apache Commons Collections is included in OpenEJB, we need to know > if > > > it is affected by this vulnerability. > > > If yes, please let us know what is your recommendation to prevent > damage, > > > and when will be a patch available. > > > > > > P.s.: Sorry for double post, but I am not sure if my first Mail reached > > > the Mailinglist (missing subscription) > > > > > > Thanks! > > > > > > Kind Regards > > > Lukas > > > > > > > > > www.ergodirekt.de > > > > > > Blog: http://blog.ergodirekt.de > > > Facebook: www.facebook.com/ERGODirekt > > > Google+: www.google.com/+ergodirekt > > > Twitter: www.twitter.com/ERGODirekt > > > YouTube: www.youtube.com/ERGODirekt > > > _______________________ > > > > > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · > > > UST-ID-Nr. DE159593454 > > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. > > > DE159593438 > > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · > > > UST-ID-Nr. DE159593446 > > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG > und > > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth > > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: > Christian > > > Diedrich > > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. > Jörg > > > Stoffels · Sitz: Fürth > > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de > > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 > 70 > > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM > > >
