-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 林慶龍,
On 3/10/16 8:07 PM, 林慶龍 Barry Lin wrote: > These days, Everyone talks about the vulnerability in Tomcat, and > we found that we had the same problem with “deserialization > vulnerability”. > > How can I fix deserialization vulnerability in tomcat? If you don't have any applications that have known problematic classes in them (such as the famous commons-collections bug), then you aren't really in any danger. You can disable session serialization, but if you don't trust the files on your own disk then you probably have bigger problems. You can disable clustering, but if you don't trust the other members of your cluster, then you probably have bigger problems. You can disable session persistence, but if you don't trust your database, then you probably have bigger problems. The reality is that this "deserialization vulnerability" is wildly overblown. Yes, it should be mitigated, but the attack vectors are very, very narrow. As of Tomcat 8.0.32, the session resumption "vulnerability" has been mitigated in Tomcat itself if you configure it properly. It's covered under "CVE-2016-0714" on this page: https://tomcat.apache.org/security-8.html You need to either run Tomcat under a SecurityManager (in which case, you'll get a non-null default value for this configuration setting), or you need to set sessionAttributeValueClassNameFilter on your <Manager> element in server.xml. https://tomcat.apache.org/tomcat-8.0-doc/config/manager.html (I admit I find the use of that CVE a little confusing, here, but the patches for that CVE are the ones that also fix the de-serialization vulnerability.) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlbiIsMACgkQ9CaO5/Lv0PDbsACdEATTK7tFmAgw3Q8f43ZSTZYQ GIsAoMNJOOSkpGmF+GPNKbgkbN93Okaw =v0tc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
