tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: java deserialization vulnerability for Tomcat 7/8
Date Wed, 11 Nov 2015 13:10:33 GMT

On 11/11/15 7:58 AM, satish jupalli wrote:
> Would like to get your opinion on the java deserialization vulnerability
> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
> to verify wether this vulnerability affects Tomcat as well?

Are you talking about this one?

Tomcat does not deserialize object streams from untrusted sources, so
Tomcat has no vulnerability, here. Also, Tomcat does not use any of the
libraries mentioned in the report, though I'm sure that list is now

Applications running on Tomcat may, however, be vulnerable to this
attack, but the vector isn't Tomcat: it's the application and its
failure to validate data from an untrusted source before deserializing
such data.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message