[Bug 65736] Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection

bugzilla Fri, 10 Dec 2021 09:01:54 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=65736


Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
To be crystal clear:

There is no Apache Tomcat vulnerability here.

To quote from the linked article:
<quote>
The actual problem here is not within the JDK or Apache Tomcat library, but
rather in custom applications that pass user-controllable data to the
"InitialContext.lookup()" function, as it still represents a security risk even
in fully patched JDK installations.
</quote>

Moving this to an enhancement request.

It is highly unlikely Tomcat will remove/disable existing functionality.

Suggestions for mitigation / hardening that can improve security without
impacting legitimate uses will be welcomed.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65736] Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection

Reply via email to