Return-Path: 
 <users-return-255399-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 491F018708
	for <apmail-tomcat-users-archive@www.apache.org>;
 Wed, 11 Nov 2015 13:54:19 +0000 (UTC)
Received: (qmail 92987 invoked by uid 500); 11 Nov 2015 13:54:16 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 92925 invoked by uid 500); 11 Nov 2015 13:54:16 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 92914 invoked by uid 99); 11 Nov 2015 13:54:16 -0000
Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Nov 2015 13:54:16 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
 with ESMTP id D3CAF1A208F
	for <users@tomcat.apache.org>; Wed, 11 Nov 2015 13:54:15 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.98
X-Spam-Level: **
X-Spam-Status: No, score=2.98 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=3,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
	URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=servoy_com.20150623.gappssmtp.com
Received: from mx1-us-east.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new,
 port 10024)
	with ESMTP id siPN4dyy4GOJ for <users@tomcat.apache.org>;
	Wed, 11 Nov 2015 13:54:09 +0000 (UTC)
Received: from mail-lb0-f173.google.com (mail-lb0-f173.google.com
 [209.85.217.173])
	by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with
 ESMTPS id CFD99439DB
	for <users@tomcat.apache.org>; Wed, 11 Nov 2015 13:54:08 +0000 (UTC)
Received: by lbbcs9 with SMTP id cs9so17089356lbb.1
        for <users@tomcat.apache.org>; Wed, 11 Nov 2015 05:54:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=servoy_com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=bEArZ3L9xam09fdAgKmIZBDTCxDdYZz2RnGMqkr305w=;
        b=M5OEdWRATgvIMOW98b3ngWTDUI1sPW5SgMLwyG5IrDG9EJgPeKdPKjeDvfuMtQHz3f
         MC4BUoydJjWqT599s6peCO7VgfZ+YbjSozQAUMSu09HNpNX+Ui/cwNFNhbak8/bT5oD9
         2YFlIkcsWvI70rpiBvsET8VGS7p4x8/Vv/YiG/ZZSZMWPpWULh0t7dbom9sSIYLMc0N7
         SJX3Yf+s4oYG0icTYk0buiXLTK0/bfcP2ERMc3RTdEvK7iM+Sd9nzj+faqLowGLzD5Q/
         kRNeopNUFuOe5TDRDjReu4C+KIOq6tKbc3g62U5xHSPcRbey4mJs6gGIvJkJLcWFHJCF
         ajjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:content-type;
        bh=bEArZ3L9xam09fdAgKmIZBDTCxDdYZz2RnGMqkr305w=;
        b=hq0e9JLmPSZhRvjTesPXofBwCmvPzcS9TMzeADyGPtHx0HIrGDllYQRIwifDDs4qVD
         Kjr07xonKiy8JEX1EZjsk1yh8BXs/1OpivzgTHrtwT7psqFPdG37ZE/RXon/EstU0ubl
         3yERlNTQKX5vir7Ss42tCx/QjTrdFRiQWA6IaBsZgKvzCVpfC7kAxRvb5t1PyeQRM+7+
         a4AAjoxJjqymMZio93JoBEgZSPofsxNl1nEv9wGvdbJI4o+noFxtPLCYetlEvNyDkdl3
         +hqtbKPn69D9Z/GUJMgZINoOptRIDDWRKyVLUwrl2cC4GmxVYw7N3HmBH2NwcnHJIbj3
         hCDQ==
X-Gm-Message-State: 
 ALoCoQm4CgP3hGiIHEFM2O48GgKyOmRK4U7iQmIBmZ21wnRD1bKB/s9pxK7OStCzZNMe1fkprptr/QV2FK6ZE4yevKXmgF3WFpuouoWeXDmFK1FvTFK8VXC2fadAwCUqbKelrtnlfckQr75wG06Uc5NDLlVlGXJ5tiJPe9ntRicsgjT+qFBnp7c9u9oqeHo2t0/wAtyHPmp0
X-Received: by 10.112.55.97 with SMTP id r1mr4533421lbp.119.1447250047592;
 Wed, 11 Nov 2015 05:54:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.145.73 with HTTP; Wed, 11 Nov 2015 05:53:53 -0800 (PST)
In-Reply-To: <5643462F.7070806@christopherschultz.net>
References: 
 <CAMCpviWJaB7SSMPaiOq+_bvbKdSpjVK79dHoEAtFo_NNyt_QMg@mail.gmail.com>
 <56433E49.5070102@christopherschultz.net>
 <5643462F.7070806@christopherschultz.net>
From: Johan Compagner <jcompagner@servoy.com>
Date: Wed, 11 Nov 2015 14:53:53 +0100
Message-ID: 
 <CADcYmTKqfV64yS-snZ8JNPL+AvmvbZJRrSYx=nVDyJBFV+nViw@mail.gmail.com>
Subject: Re: java deserialization vulnerability for Tomcat 7/8
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=001a11c3f16afd06ac0524442815

--001a11c3f16afd06ac0524442815
Content-Type: text/plain; charset=UTF-8

On 11 November 2015 at 14:44, Christopher Schultz <
chris@christopherschultz.net> wrote:

> Tomcat could potentially be
> used as an attack vector against a system by someone with write-access
> to the part of the filesystem where Tomcat stores its serialized session
> objects during a restart
>

if you already can do that... then i think there are other problems first ;)


-- 
Johan Compagner
Servoy

--001a11c3f16afd06ac0524442815--