Hi all, I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. Actually the Java path version is not relevant.
It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded. If your server can reach arbitrary servers on the Internet, you can execute random code in the shell. The attack is not using RMI remote class loading but uses Tomcats BeanFactory to create an ELExpression library. As the BeanFactory has features to manipulate instantiated classes, it can inject a Script. In plain Java application this would still be blocked by RMI class loading but Tomcat circumvents this. The attack is explained in 2019 by https://www.veracode.com/blog/research/exploiting-jndi-injections-java Cheers Sebastian
