Satish, On 11/11/15 7:58 AM, satish jupalli wrote: > Would like to get your opinion on the java deserialization vulnerability > issue for Tomcat. As Jboss seems to have been impacted with, is there a way > to verify wether this vulnerability affects Tomcat as well?
Are you talking about this one? http://www.infoq.com/news/2015/11/commons-exploit Tomcat does not deserialize object streams from untrusted sources, so Tomcat has no vulnerability, here. Also, Tomcat does not use any of the libraries mentioned in the report, though I'm sure that list is now exhaustive. Applications running on Tomcat may, however, be vulnerable to this attack, but the vector isn't Tomcat: it's the application and its failure to validate data from an untrusted source before deserializing such data. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
