Author: rmannibucau Date: Tue Apr 5 11:39:26 2016 New Revision: 1737824 URL: http://svn.apache.org/viewvc?rev=1737824&view=rev Log: mentionning CVE-2015-8581, thanks Robert Panzer for the patch
Modified: tomee/site/trunk/content/security/tomee.mdtext Modified: tomee/site/trunk/content/security/tomee.mdtext URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1737824&r1=1737823&r2=1737824&view=diff ============================================================================== --- tomee/site/trunk/content/security/tomee.mdtext (original) +++ tomee/site/trunk/content/security/tomee.mdtext Tue Apr 5 11:39:26 2016 @@ -29,7 +29,11 @@ that even if fixed in 7.0.0-M2 we recomm This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series but it was on the 1.x ones. -The related CVE number is [CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): the EJBd protocol provided by TomEE can exploit the 0-day vulnerability. +The related CVE numbers are: + +* [CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): The EJBd protocol provided by TomEE can exploit the 0-day vulnerability. +* [CVE-2015-8581](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8581): The EjbObjectInputStream class in Apache TomEE allows remote attackers to execute arbitrary commands via a serialized Java stream. + This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9. Check [properties configuration](/properties-listing.html) and [Ejbd transport](/ejbd-transport.html) for more details (tomee.serialization.class.* and tomee.remote.support).