"one place" = one feature in tomee codebase, all the projects I mentionned can use it, here a small overview:
- jcs: depends your plugins (no risk by default ie in in-memory mode) - openjpa: depend if you serialize openjpa instances (if so you probably have other troubles you are aware or not ;), see struberg slides for details on this) - batchee: you can use this code but it is not used remotely normally so no real risk - openwebbeans: depends if you use serializable scopes and how (no risk with default setup) - activemq: risk using a remote broker - tomee: medium risk using ejbd protocol Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber <http://www.tomitribe.com> 2015-11-27 13:48 GMT+01:00 Lukas Kohl <[email protected]>: > Hello Romain, > thank your very much, this was quite fast ! > You mentioned, that there is only one Dangerous place. Which place in > OpenEJB is this ? > > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ? > > > Kind regards, > Lukas > > > > Von: Romain Manni-Bucau <[email protected]> > An: "[email protected]" <[email protected]> > Datum: 27.11.2015 13:16 > Betreff: [SPAM] Re: Unsecure deserialization of Java Objects > > > > Fixed in jcs, batchee, owb, tomee, openjpa > AMQ already had the fix > opened an issue for myfaces > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > <http://www.tomitribe.com> > > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[email protected]>: > > > You can run the code you want more or less. Openjpa got the same issue > and > > fixed it months ago. > > > > Ill add the filter today > > Le 27 nov. 2015 12:00, "Andy" <[email protected]> a écrit : > > > >> What is the dangerous option, so we can inform people of the danger? > >> > >> Andy. > >> > >> -- > >> Andy Gumbrecht > >> https://twitter.com/AndyGeeDe > >> > >> > > > > > > www.ergodirekt.de > > Blog: http://blog.ergodirekt.de > Facebook: www.facebook.com/ERGODirekt > Google+: www.google.com/+ergodirekt > Twitter: www.twitter.com/ERGODirekt > YouTube: www.youtube.com/ERGODirekt > _______________________ > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · > UST-ID-Nr. DE159593454 > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. > DE159593438 > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · > UST-ID-Nr. DE159593446 > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian > Diedrich > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg > Stoffels · Sitz: Fürth > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70 > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM >
