Yep, that should be all non DMZ, unless you're crazy. So I guess we can
just post a warning people to be aware.
If we become aware of real DMZ issues within TomEE itself then we need
to post as much info on this as possible.
On 27/11/2015 13:53, Romain Manni-Bucau wrote:
"one place" = one feature in tomee codebase, all the projects I mentionned
can use it, here a small overview:
- jcs: depends your plugins (no risk by default ie in in-memory mode)
- openjpa: depend if you serialize openjpa instances (if so you probably
have other troubles you are aware or not ;), see struberg slides for
details on this)
- batchee: you can use this code but it is not used remotely normally so no
real risk
- openwebbeans: depends if you use serializable scopes and how (no risk
with default setup)
- activemq: risk using a remote broker
- tomee: medium risk using ejbd protocol
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 13:48 GMT+01:00 Lukas Kohl <[email protected]>:
Hello Romain,
thank your very much, this was quite fast !
You mentioned, that there is only one Dangerous place. Which place in
OpenEJB is this ?
I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe ?
Kind regards,
Lukas
Von: Romain Manni-Bucau <[email protected]>
An: "[email protected]" <[email protected]>
Datum: 27.11.2015 13:16
Betreff: [SPAM] Re: Unsecure deserialization of Java Objects
Fixed in jcs, batchee, owb, tomee, openjpa
AMQ already had the fix
opened an issue for myfaces
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <
https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <[email protected]>:
You can run the code you want more or less. Openjpa got the same issue
and
fixed it months ago.
Ill add the filter today
Le 27 nov. 2015 12:00, "Andy" <[email protected]> a écrit :
What is the dangerous option, so we can inform people of the danger?
Andy.
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
www.ergodirekt.de
Blog: http://blog.ergodirekt.de
Facebook: www.facebook.com/ERGODirekt
Google+: www.google.com/+ergodirekt
Twitter: www.twitter.com/ERGODirekt
YouTube: www.youtube.com/ERGODirekt
_______________________
ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
UST-ID-Nr. DE159593454
ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
DE159593438
ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
UST-ID-Nr. DE159593446
Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und
der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth
Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian
Diedrich
Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg
Stoffels · Sitz: Fürth
Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70
IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM
--
Andy Gumbrecht
https://twitter.com/AndyGeeDe
