Google Git
Sign in
apache / tomee-site-pub / 43cf80e624a0cecf0f38bef5ef2614bfb2410f57 / . / security / security.html
blob: e168d64dbca1355f3493f2125f6027ee2710f7d5 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Apache TomEE</title>
<meta name="description"
content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." />
<meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" />
<meta name="author" content="Luka Cvetinovic for Codrops" />
<link rel="icon" href="../favicon.ico">
<link rel="icon" type="image/png" href="../favicon.png">
<meta name="msapplication-TileColor" content="#80287a">
<meta name="theme-color" content="#80287a">
<link rel="stylesheet" type="text/css" href="../css/normalize.css">
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="../css/owl.css">
<link rel="stylesheet" type="text/css" href="../css/animate.css">
<link rel="stylesheet" type="text/css" href="../fonts/font-awesome-4.1.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="../fonts/eleganticons/et-icons.css">
<link rel="stylesheet" type="text/css" href="../css/jqtree.css">
<link rel="stylesheet" type="text/css" href="../css/idea.css">
<link rel="stylesheet" type="text/css" href="../css/cardio.css">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2717626-1']);
_gaq.push(['_setDomainName', 'apache.org']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="preloader">
<img src="../img/loader.gif" alt="Preloader image">
</div>
<nav class="navbar">
<div class="container">
<div class="row"> <div class="col-md-12">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">
<span>
<img src="../img/logo-active.png">
</span>
Apache TomEE
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right main-nav">
<li><a href="../docs.html">Documentation</a></li>
<li><a href="../community/index.html">Community</a></li>
<li><a href="../security/security.html">Security</a></li>
<li><a href="../download-ng.html">Downloads</a></li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div></div>
</div>
<!-- /.container-fluid -->
</nav>
<div id="main-block" class="container main-block">
<div class="row title">
<div class="col-md-12">
<div class='page-header'>
<div class='btn-toolbar pull-right' style="z-index: 2000;">
<div class='btn-group'>
<a class="btn" href="../security/security.pdf"><i class="fa fa-file-pdf-o"></i> Download as PDF</a>
</div>
</div>
<h1>Security</h1>
</div>
</div>
</div>
<div class="row">
<div class="col-md-12">
<div class="sect2">
<h3 id="_security_updates">Security updates</h3>
<div class="paragraph">
<p>Please note that, except in rare circumstances, binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache TomEE version where that vulnerability has been fixed.</p>
</div>
<div class="paragraph">
<p>Source patches, usually in the form of references to SVN commits, may be provided in either in a vulnerability announcement and/or the vulnerability details listed on these pages. These source patches may be used by users wishing to build their own local version of TomEE with just that security patch rather than upgrade.</p>
</div>
<div class="paragraph">
<p>The Apache Software Foundation takes a very active stance in eliminating security problems and denial of service attacks against Apache projects.</p>
</div>
<div class="paragraph">
<p>We strongly encourage folks to report such problems to the private security mailing list first, before disclosing them in a public forum.</p>
</div>
<div class="paragraph">
<p>Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in Apache projects and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem will be ignored.</p>
</div>
<div class="paragraph">
<p>If you need to report a bug that isn&#8217;t an undisclosed security vulnerability, please use the bug reporting system.</p>
</div>
<div class="paragraph">
<p>Questions about:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>how to configure TomEE securely</p>
</li>
<li>
<p>if a vulnerability applies to your particular application</p>
</li>
<li>
<p>obtaining further information on a published vulnerability</p>
</li>
<li>
<p>availability of patches and/or new releases</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>should be addressed to the <a href="support.html">users mailing list</a>.</p>
</div>
<div class="paragraph">
<p>The private security mailing address is: security (at) apache (dot) org</p>
</div>
<div class="paragraph">
<p>Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs.</p>
</div>
</div>
<div class="sect2">
<h3 id="_third_party_projects">Third-party projects</h3>
<div class="paragraph">
<p>Apache is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Apache Tomcat 7.x: Tomcat 7 security advisories</p>
</li>
<li>
<p>Apache OpenJPA</p>
</li>
<li>
<p>Apache CXF: CXF Security Advisories</p>
</li>
<li>
<p>Apache OpenWebBeans</p>
</li>
<li>
<p>Apache MyFaces</p>
</li>
<li>
<p>Apache Bean Validation</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>By default any regular TomEE releases uses latest sub project releases, so that we can follow all security fixes as much as possible.</p>
</div>
</div>
<div class="sect2">
<h3 id="_apache_tomee_versioning_details">Apache TomEE versioning details</h3>
<div class="paragraph">
<p>As security is a key concern in many companies, TomEE team also considers to deliver specific security fixes for those external projects being fixed. For instance, if Tomcat fixes a security issue in Tomcat x.y.z, used in TomEE a.b.c, we will consider packaging a new security update release using the new Tomcat release.</p>
</div>
<div class="paragraph">
<p>In order to achieve a smoothly migration patch between a TomEE version and a security update, the TomEE team has decided to adopt the following versioning major.minor.patch[.security update]</p>
</div>
<div class="ulist">
<ul>
<li>
<p>major ([0-9]+): it refers mainly to the Java EE version we implement. 1.x for Java EE 6 for example.</p>
</li>
<li>
<p>minor ([0-9]+): contains features, bugfixes and security fixes (internal or third-party)</p>
</li>
<li>
<p>patch ([0-9]+): only bugfixes applied</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Optionally we can concatenate a security update to the version if TomEE source base if not impacted but only a dependency. Note this didn&#8217;t happen yet.</p>
</div>
</div>
<div class="sect2">
<h3 id="_additional_information">Additional information</h3>
<div class="sect3">
<h4 id="_secunia">Secunia</h4>
<div class="paragraph">
<p>Secunia is an international IT security company specialising in vulnerability management based in Copenhagen, Denmark.</p>
</div>
<div class="paragraph">
<p>There is an Apache Software Foundation vendor declared so you can follow all vulnerabilities related to Apache products. Of course, a Apache TomEE product is also available so you can search for know advisories.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_links">Links</h3>
<div class="ulist">
<ul>
<li>
<p><a href="http://apache.org/security/" class="bare">http://apache.org/security/</a></p>
</li>
<li>
<p><a href="http://apache.org/security/projects.html" class="bare">http://apache.org/security/projects.html</a></p>
</li>
<li>
<p><a href="http://apache.org/security/committers.html" class="bare">http://apache.org/security/committers.html</a></p>
</li>
<li>
<p><a href="http://cve.mitre.org/">Common Vulnerabilities and Exposures database</a></p>
</li>
</ul>
</div>
</div>
</div>
</div>
</div>
<footer>
<div class="container">
<div class="row">
<div class="col-sm-6 text-center-mobile">
<h3 class="white">Be simple. Be certified. Be Tomcat.</h3>
<h5 class="light regular light-white">"A good application in a good server"</h5>
<ul class="social-footer">
<li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li>
<li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li>
<li><a href="https://plus.google.com/communities/105208241852045684449"><i class="fa fa-google-plus"></i></a></li>
</ul>
</div>
<div class="col-sm-6 text-center-mobile">
<div class="row opening-hours">
<div class="col-sm-3 text-center-mobile">
<h5><a href="../latest/docs/" class="white">Documentation</a></h5>
<ul class="list-unstyled">
<li><a href="../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li>
<li><a href="../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li>
<li><a href="../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li>
<li><a href="../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../latest/examples/" class="white">Examples</a></h5>
<ul class="list-unstyled">
<li><a href="../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li>
<li><a href="../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li>
<li><a href="../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li>
<li><a href="../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../community/index.html" class="white">Community</a></h5>
<ul class="list-unstyled">
<li><a href="../community/contributors.html" class="regular light-white">Contributors</a></li>
<li><a href="../community/social.html" class="regular light-white">Social</a></li>
<li><a href="../community/sources.html" class="regular light-white">Sources</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../security/index.html" class="white">Security</a></h5>
<ul class="list-unstyled">
<li><a href="http://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li>
<li><a href="http://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li>
<li><a href="http://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="row bottom-footer text-center-mobile">
<div class="col-sm-12 light-white">
<p>Copyright &copy; 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</div>
</footer>
<!-- Holder for mobile navigation -->
<div class="mobile-nav">
<ul>
<li><a hef="../latest/docs/admin/index.html">Administrators</a>
<li><a hef="../latest/docs/developer/index.html">Developers</a>
<li><a hef="../latest/docs/advanced/index.html">Advanced</a>
<li><a hef="../community/index.html">Community</a>
</ul>
<a href="#" class="close-link"><i class="arrow_up"></i></a>
</div>
<!-- Scripts -->
<script src="../js/jquery-1.11.1.min.js"></script>
<script src="../js/owl.carousel.min.js"></script>
<script src="../js/bootstrap.min.js"></script>
<script src="../js/wow.min.js"></script>
<script src="../js/typewriter.js"></script>
<script src="../js/jquery.onepagenav.js"></script>
<script src="../js/tree.jquery.js"></script>
<script src="../js/highlight.pack.js"></script>
<script src="../js/main.js"></script>
</body>
</html>