On Sat, Dec 11, 2021 at 11:05 PM Sebastian Hennebrüder
wrote:
>
> Hi all,
>
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11.
> Actually the Java path version is not relevant.
>
> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.
>
> If yo
On 11/12/2021 22:04, Sebastian Hennebrüder wrote:
Hi all,
I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11.
Actually the Java path version is not relevant.
Utter nonsense. Tomcat is not vulnerable to this attack.
It is possible with a deployed Tomcat 9 and Spring
To be more precise. It depends on how you configure log4j. By default Spring
boot installs
org.apache.logging.log4j
log4j-to-slf4j
In that case the default NullConfiguration of Log4j is not executed and the
JNDI lookup is not configured.
The chance to be impacted is smaller.
> Am 11.12.2021
> Am 11.12.2021 um 23:54 schrieb Aryeh Friedman :
>
> On Sat, Dec 11, 2021 at 5:11 PM Sebastian Hennebrüder
> wrote:
>
>> Hi all,
>>
>> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java
>> 11. Actually the Java path version is not relevant.
>>
>> It is possible with a
On Sat, Dec 11, 2021 at 5:11 PM Sebastian Hennebrüder
wrote:
> Hi all,
>
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java
> 11. Actually the Java path version is not relevant.
>
> It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat
> embedded.
>
Does th
Correction for Spring Boot with embedded Tomcat
The attack does not work by default.
> Am 11.12.2021 um 23:04 schrieb Sebastian Hennebrüder :
>
> Hi all,
>
> I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11.
> Actually the Java path version is not relevant.
>
> It
Hi all,
I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11.
Actually the Java path version is not relevant.
It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded.
If your server can reach arbitrary servers on the Internet, you can execute
rando
All,
On 12/11/21 03:18, Mark Thomas wrote:
On 10/12/2021 22:17, James H. H. Lampert wrote:
A customer brought this to my attention:
https://www.randori.com/blog/cve-2021-44228/
I have no idea how (or if) Tomcat is affected. I have only the vaguest
idea what this vulnerability even *is.*
Ca
All,
On 12/11/21 03:18, Mark Thomas wrote:
On 10/12/2021 22:17, James H. H. Lampert wrote:
A customer brought this to my attention:
https://www.randori.com/blog/cve-2021-44228/
I have no idea how (or if) Tomcat is affected. I have only the vaguest
idea what this vulnerability even *is.*
Ca
Thanks Mark
Thanks,
Sent with BlackBerry Work (www.blackberry.com)
From: Mark Thomas
Sent: Dec 11, 2021 2:23 AM
To: users@tomcat.apache.org
Subject: Re: Disable a library in Tomcat configuration
On 11/12/2021 02:02, jonmcalexan...@wellsfargo.com.INVALID wrote
On 11/12/2021 02:02, jonmcalexan...@wellsfargo.com.INVALID wrote:
Is there a way to forcibly prevent a library from loading in Tomcat during
startup that will also prevent an app from loading the library?
Trying to find a way to block vulnerabilities.
Dependencies are rarely optional. Blocki
On 10/12/2021 22:17, James H. H. Lampert wrote:
A customer brought this to my attention:
https://www.randori.com/blog/cve-2021-44228/
I have no idea how (or if) Tomcat is affected. I have only the vaguest
idea what this vulnerability even *is.*
Can anybody here shed any light?
Currently su
12 matches
Mail list logo
