don't think tomcat by default ships with commons collections But of course its not just commons collections its a more generic problem that could be hit if there are more special classes that do special things in deserialization.
i do think that tomcat by default (even the manager app or there jmx proxy servlet) doesn't use java serialization to the outside world And the jmx port should be default only accessible from localhost On 11 November 2015 at 13:58, satish jupalli <[email protected]> wrote: > Hi, > > Would like to get your opinion on the java deserialization vulnerability > issue for Tomcat. As Jboss seems to have been impacted with, is there a way > to verify wether this vulnerability affects Tomcat as well? > > Regards > SJ > -- Johan Compagner Servoy
