tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan Compagner <>
Subject Re: java deserialization vulnerability for Tomcat 7/8
Date Wed, 11 Nov 2015 13:07:05 GMT
don't think tomcat by default ships with commons collections

But of course its not just commons collections its a more generic problem
that could be hit if there are more special classes that do special things
in deserialization.

i do think that tomcat by default (even the manager app or there jmx proxy
servlet) doesn't use java serialization to the outside world
And the jmx port should be default only accessible from localhost

On 11 November 2015 at 13:58, satish jupalli <> wrote:

> Hi,
> Would like to get your opinion on the java deserialization vulnerability
> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
> to verify wether this vulnerability affects Tomcat as well?
> Regards
> SJ

Johan Compagner

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message