Return-Path: 
 <users-return-255396-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E130B1856F
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed, 11 Nov 2015 13:07:26 +0000 (UTC)
Received: (qmail 14892 invoked by uid 500); 11 Nov 2015 13:07:24 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 14822 invoked by uid 500); 11 Nov 2015 13:07:24 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 14811 invoked by uid 99); 11 Nov 2015 13:07:24 -0000
Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2015 13:07:23 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id 8935BC0F3D
	for <users@tomcat.apache.org>; Wed, 11 Nov 2015 13:07:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.979
X-Spam-Level: **
X-Spam-Status: No, score=2.979 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=servoy_com.20150623.gappssmtp.com
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id VL2TkEM-K-LJ for <users@tomcat.apache.org>;
	Wed, 11 Nov 2015 13:07:22 +0000 (UTC)
Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com
 [209.85.215.47])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id DFCC623244
	for <users@tomcat.apache.org>; Wed, 11 Nov 2015 13:07:21 +0000 (UTC)
Received: by lfs39 with SMTP id 39so15784291lfs.3
        for <users@tomcat.apache.org>; Wed, 11 Nov 2015 05:07:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=servoy_com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=2D4O628lIds8PJW1EKf2xJ94RqdwIXwv2vJkYXbe13I=;
        b=kP1WL3KsC1jpqegYUr8eQDJ6iMqEtzia4Pa2OWDJM7qYJEEsJcgTI4yex7vkNkRdoB
         yJDpf+2iSz8Tp9xrlYl25uNqf0n6Gv4ngK509/OPvgYISrVGiAfK+QT8EstE2nZ9ANJL
         knhAX0iO6nBNYs1wYQrQXD2favX8A2+Ri0lKnA1tzMCmT1Wd1Bro8bBYdysqueOAApOB
         dFj13idDaQZ3uX6eRFdpQhmbvQyCa0qQ0HurgGKubo/X8aShMh4g0NqaVPMwML9Y8JRh
         /HT3/kru2Argct5Hlaznv9d9n8Br/lPRJtnyJb5ErsR21gFA/bI1Kp9B/YTNFaBHcWB1
         eKaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:content-type;
        bh=2D4O628lIds8PJW1EKf2xJ94RqdwIXwv2vJkYXbe13I=;
        b=IdDKYC1asLp9X+4u/zBItTrWlPWSAr4/nBdrP1mmFE0vSkCtmepYzCbOmTHlaOgbNU
         llbVxgG4daZE5GMlfpWwh0WMieO7oW8gUuU4oOlX26H6UYN319eRJb/8Ag1z9o10D9co
         j38flTjbC4LCGYPd2HqWnC6rygSaDWTP7G2vVuTGbcoDXj/oSfCgq5PeRqHZN0l3NLwZ
         0tCgKVOLeP1RE4vpQ+lRki3medqBpDZXSgUedjBCkQ94hgsPY8khdhomtvouHd1CNBLV
         FBtIMVu73yr6rzqbxIrLKhX3NvlkJooJPIoAuZEYAy8hw9n5a7utH0eT7Q6mK2RMDJT2
         MsxA==
X-Gm-Message-State: 
 ALoCoQm2JOFM2xJiqESPGeeF2Af/xebjCwHGGsn9czYI0okbK6m8hIioKhWFxAc9BugSt0sSsj4BQ9xGc+vPL46EEdQ2ycAD6Rh8C8QI8FHJTtH8V8DtURB6su6zaBB2vCXBPZmE/5Xe3ahxkzISFCMm7CNROMGyNiqXGtV2ySRFKC5wdt34MQ00bSF3MZ16ftCfj2g0LxOn
X-Received: by 10.25.78.80 with SMTP id c77mr4244008lfb.18.1447247239982; Wed,
 11 Nov 2015 05:07:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.145.73 with HTTP; Wed, 11 Nov 2015 05:07:05 -0800 (PST)
In-Reply-To: 
 <CAMCpviWJaB7SSMPaiOq+_bvbKdSpjVK79dHoEAtFo_NNyt_QMg@mail.gmail.com>
References: 
 <CAMCpviWJaB7SSMPaiOq+_bvbKdSpjVK79dHoEAtFo_NNyt_QMg@mail.gmail.com>
From: Johan Compagner <jcompagner@servoy.com>
Date: Wed, 11 Nov 2015 14:07:05 +0100
Message-ID: 
 <CADcYmTK14bjie6Ak8hq-i6v_O9xiLuUNDZOGpv1uv5nzCSZEzg@mail.gmail.com>
Subject: Re: java deserialization vulnerability for Tomcat 7/8
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=001a114194e4a4447105244381ce

--001a114194e4a4447105244381ce
Content-Type: text/plain; charset=UTF-8

don't think tomcat by default ships with commons collections

But of course its not just commons collections its a more generic problem
that could be hit if there are more special classes that do special things
in deserialization.

i do think that tomcat by default (even the manager app or there jmx proxy
servlet) doesn't use java serialization to the outside world
And the jmx port should be default only accessible from localhost



On 11 November 2015 at 13:58, satish jupalli <jupallis@gmail.com> wrote:

> Hi,
>
> Would like to get your opinion on the java deserialization vulnerability
> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
> to verify wether this vulnerability affects Tomcat as well?
>
> Regards
> SJ
>



-- 
Johan Compagner
Servoy

--001a114194e4a4447105244381ce--