tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: java deserialization vulnerability for Tomcat 7/8
Date Wed, 11 Nov 2015 13:10:33 GMT
Satish,

On 11/11/15 7:58 AM, satish jupalli wrote:
> Would like to get your opinion on the java deserialization vulnerability
> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
> to verify wether this vulnerability affects Tomcat as well?

Are you talking about this one?
http://www.infoq.com/news/2015/11/commons-exploit

Tomcat does not deserialize object streams from untrusted sources, so
Tomcat has no vulnerability, here. Also, Tomcat does not use any of the
libraries mentioned in the report, though I'm sure that list is now
exhaustive.

Applications running on Tomcat may, however, be vulnerable to this
attack, but the vector isn't Tomcat: it's the application and its
failure to validate data from an untrusted source before deserializing
such data.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message