Johan,
On 11/11/15 8:53 AM, Johan Compagner wrote:
> On 11 November 2015 at 14:44, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Tomcat could potentially be
>> used as an attack vector against a system by someone with write-access
>> to the part of the filesystem where Tomcat
On 11 November 2015 at 14:44, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Tomcat could potentially be
> used as an attack vector against a system by someone with write-access
> to the part of the filesystem where Tomcat stores its serialized session
> objects during a restart
>
i
Satish,
On 11/11/15 8:10 AM, Christopher Schultz wrote:
> Satish,
>
> On 11/11/15 7:58 AM, satish jupalli wrote:
>> Would like to get your opinion on the java deserialization vulnerability
>> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
>> to verify wether this vuln
Satish,
On 11/11/15 7:58 AM, satish jupalli wrote:
> Would like to get your opinion on the java deserialization vulnerability
> issue for Tomcat. As Jboss seems to have been impacted with, is there a way
> to verify wether this vulnerability affects Tomcat as well?
Are you talking about this one?
don't think tomcat by default ships with commons collections
But of course its not just commons collections its a more generic problem
that could be hit if there are more special classes that do special things
in deserialization.
i do think that tomcat by default (even the manager app or there jm
