You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by rm...@apache.org on 2016/04/05 13:39:26 UTC

svn commit: r1737824 - /tomee/site/trunk/content/security/tomee.mdtext

Author: rmannibucau
Date: Tue Apr  5 11:39:26 2016
New Revision: 1737824

URL: http://svn.apache.org/viewvc?rev=1737824&view=rev
Log:
mentionning CVE-2015-8581, thanks Robert Panzer for the patch

Modified:
    tomee/site/trunk/content/security/tomee.mdtext

Modified: tomee/site/trunk/content/security/tomee.mdtext
URL: http://svn.apache.org/viewvc/tomee/site/trunk/content/security/tomee.mdtext?rev=1737824&r1=1737823&r2=1737824&view=diff
==============================================================================
--- tomee/site/trunk/content/security/tomee.mdtext (original)
+++ tomee/site/trunk/content/security/tomee.mdtext Tue Apr  5 11:39:26 2016
@@ -29,7 +29,11 @@ that even if fixed in 7.0.0-M2 we recomm
 This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series
 but it was on the 1.x ones.
 
-The related CVE number is [CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): the EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
+The related CVE numbers are:
+
+* [CVE-2016-0779](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779): The EJBd protocol provided by TomEE can exploit the 0-day vulnerability.
+* [CVE-2015-8581](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8581): The EjbObjectInputStream class in Apache TomEE allows remote attackers to execute arbitrary commands via a serialized Java stream.
+
 This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.
 
 Check [properties configuration](/properties-listing.html) and [Ejbd transport](/ejbd-transport.html) for more details (tomee.serialization.class.* and tomee.remote.support).