Hi @Romain, I would be interested to see how such a fix is implemented. Can you give pointers to look at some code?
Thanks Regards LF On Fri, Nov 27, 2015 at 1:53 PM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > "one place" = one feature in tomee codebase, all the projects I mentionned > can use it, here a small overview: > > - jcs: depends your plugins (no risk by default ie in in-memory mode) > - openjpa: depend if you serialize openjpa instances (if so you probably > have other troubles you are aware or not ;), see struberg slides for > details on this) > - batchee: you can use this code but it is not used remotely normally so no > real risk > - openwebbeans: depends if you use serializable scopes and how (no risk > with default setup) > - activemq: risk using a remote broker > - tomee: medium risk using ejbd protocol > > > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > <http://www.tomitribe.com> > > 2015-11-27 13:48 GMT+01:00 Lukas Kohl <lukas.k...@ergodirekt.de>: > > > Hello Romain, > > thank your very much, this was quite fast ! > > You mentioned, that there is only one Dangerous place. Which place in > > OpenEJB is this ? > > > > I am running on Oejb 4.5.2, which is pretty much uncustomized. Am I safe > ? > > > > > > Kind regards, > > Lukas > > > > > > > > Von: Romain Manni-Bucau <rmannibu...@gmail.com> > > An: "users@tomee.apache.org" <users@tomee.apache.org> > > Datum: 27.11.2015 13:16 > > Betreff: [SPAM] Re: Unsecure deserialization of Java Objects > > > > > > > > Fixed in jcs, batchee, owb, tomee, openjpa > > AMQ already had the fix > > opened an issue for myfaces > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <http://rmannibucau.wordpress.com> | Github < > > https://github.com/rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber > > <http://www.tomitribe.com> > > > > 2015-11-27 12:06 GMT+01:00 Romain Manni-Bucau <rmannibu...@gmail.com>: > > > > > You can run the code you want more or less. Openjpa got the same issue > > and > > > fixed it months ago. > > > > > > Ill add the filter today > > > Le 27 nov. 2015 12:00, "Andy" <andy...@gmx.de> a écrit : > > > > > >> What is the dangerous option, so we can inform people of the danger? > > >> > > >> Andy. > > >> > > >> -- > > >> Andy Gumbrecht > > >> https://twitter.com/AndyGeeDe > > >> > > >> > > > > > > > > > > > > www.ergodirekt.de > > > > Blog: http://blog.ergodirekt.de > > Facebook: www.facebook.com/ERGODirekt > > Google+: www.google.com/+ergodirekt > > Twitter: www.twitter.com/ERGODirekt > > YouTube: www.youtube.com/ERGODirekt > > _______________________ > > > > ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 · > > UST-ID-Nr. DE159593454 > > ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr. > > DE159593438 > > ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 · > > UST-ID-Nr. DE159593446 > > Vorsitzender der Aufsichtsräte der ERGO Direkt Lebensversicherung AG und > > der ERGO Direkt Krankenversicherung AG: Dr. Clemens Muth > > Vorsitzender des Aufsichtsrats der ERGO Direkt Versicherung AG: Christian > > Diedrich > > Vorstände: Dr. Daniel von Borries (Vorsitzender), Ralf Hartmann, Dr. Jörg > > Stoffels · Sitz: Fürth > > Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de > > UniCredit Bank AG - HypoVereinsbank Kto.-Nr.: 66 071 430 · BLZ 700 202 70 > > IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMM > > > -- Med vänlig hälsning / Best regards Lars-Fredrik Smedberg STATEMENT OF CONFIDENTIALITY: The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the address(es) and may contain confidential or privileged information. If you are not the intended recipient, please notify Lars-Fredrik Smedberg immediately at itsme...@gmail.com, and destroy all copies of this message and any attachments.
