Correction for Spring Boot with embedded Tomcat The attack does not work by default.
> Am 11.12.2021 um 23:04 schrieb Sebastian Hennebrüder <use...@laliluna.de>: > > Hi all, > > I reproduced the attack against Tomcat 9.0.56 with latest Java 8 and Java 11. > Actually the Java path version is not relevant. > > It is possible with a deployed Tomcat 9 and Spring Boot with Tomcat embedded. > > If your server can reach arbitrary servers on the Internet, you can execute > random code in the shell. > > The attack is not using RMI remote class loading but uses Tomcats BeanFactory > to create an ELExpression library. As the BeanFactory has features to > manipulate instantiated classes, it can inject a Script. In plain Java > application this would still be blocked by RMI class loading but Tomcat > circumvents this. > > The attack is explained in 2019 by > https://www.veracode.com/blog/research/exploiting-jndi-injections-java > > > Cheers > > Sebastian --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
