Google Git
Sign in
apache / tomee-site-pub / 476cf231b77b83a25b4407df84b6a5fd7c0d673a / . / security / tomee.html
blob: 667fef1aacf26d35fbd673cc98745caad7f59f6f [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Apache TomEE</title>
<meta name="description"
content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." />
<meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" />
<meta name="author" content="Luka Cvetinovic for Codrops" />
<link rel="icon" href="../favicon.ico">
<link rel="icon" type="image/png" href="../favicon.png">
<meta name="msapplication-TileColor" content="#80287a">
<meta name="theme-color" content="#80287a">
<link rel="stylesheet" type="text/css" href="../css/normalize.css">
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="../css/owl.css">
<link rel="stylesheet" type="text/css" href="../css/animate.css">
<link rel="stylesheet" type="text/css" href="../fonts/font-awesome-4.1.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="../fonts/eleganticons/et-icons.css">
<link rel="stylesheet" type="text/css" href="../css/jqtree.css">
<link rel="stylesheet" type="text/css" href="../css/idea.css">
<link rel="stylesheet" type="text/css" href="../css/cardio.css">
<script type="text/javascript">
<!-- Matomo -->
var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
/* We explicitly disable cookie tracking to avoid privacy issues */
_paq.push(['disableCookies']);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function () {
var u = "//matomo.privacy.apache.org/";
_paq.push(['setTrackerUrl', u + 'matomo.php']);
_paq.push(['setSiteId', '5']);
var d = document, g = d.createElement('script'), s = d.getElementsByTagName('script')[0];
g.async = true;
g.src = u + 'matomo.js';
s.parentNode.insertBefore(g, s);
})();
<!-- End Matomo Code -->
</script>
</head>
<body>
<div class="preloader">
<img src="../img/loader.gif" alt="Preloader image">
</div>
<nav class="navbar">
<div class="container">
<div class="row"> <div class="col-md-12">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/" title="Apache TomEE">
<span>
<img
src="../img/apache_tomee-logo.svg"
onerror="this.src='../img/apache_tomee-logo.jpg'"
height="50"
>
</span>
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right main-nav">
<li><a href="../docs.html">Documentation</a></li>
<li><a href="../community/index.html">Community</a></li>
<li><a href="../security/security.html">Security</a></li>
<li><a class="btn btn-accent accent-orange no-shadow" href="../download.html">Downloads</a></li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div></div>
</div>
<!-- /.container-fluid -->
</nav>
<div id="main-block" class="container main-block">
<div class="row title">
<div class="col-md-12">
<div class='page-header'>
<h1>Apache TomEE Security Vulnerabilities</h1>
</div>
</div>
</div>
<div class="row">
<div class="col-md-12">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache TomEE 1.x.
Each vulnerability is given a security impact rating by either the Apache TomEE team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project.
We also list the versions of Apache TomEE the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
Vulnerabilities that are not TomEE vulnerabilities but have either been incorrectly reported against TomEE or where TomEE provides a workaround are listed bellow in the section "Not a vulnerability".
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Please note that binary patches are never provided.
If you need to apply a source code patch, use the building instructions for the Apache TomEE version that you are using.
For TomEE 1.x those are <a href="/dev/building-from-source.html">Building TomEE from source</a>.</p>
</div>
<div class="paragraph">
<p>If you need help on building or configuring TomEE or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public <a href="../support.html">Users mailing list</a></p>
</div>
<div class="paragraph">
<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a href="http://www.apache.org/security">Apache Security Team</a>.
Thank you.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_fixed_in_apache_tomee_7_0_1">Fixed in Apache TomEE 7.0.1</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%<a href="mailto:3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org">3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org</a>%3E">CVE-2016-3092</a> Apache Tomcat Denial of Service</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_fixed_in_apache_tomee_7_0_0_m3_and_1_7_4">Fixed in Apache TomEE 7.0.0-M3 and 1.7.4</h2>
<div class="sectionbody">
<div class="paragraph">
<p>TomEE was subject until versions 1.7.3 and 7.0.0-M1 included to the 0-day vulnerability.
Note that even if fixed in 7.0.0-M2 we recommand you to upgrade to the 7.0.0-M3 which includes a better fix for that (better defaults).</p>
</div>
<div class="paragraph">
<p>This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol).
This one one is not activated by default on the 7.x series but it was on the 1.x ones.</p>
</div>
<div class="paragraph">
<p>The related CVE numbers are:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0779">CVE-2016-0779</a>: The EJBd protocol provided by TomEE can exploit the 0-day vulnerability.</p>
</li>
<li>
<p><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8581">CVE-2015-8581</a>: The EjbObjectInputStream class in Apache TomEE allows remote attackers to execute arbitrary commands via a serialized Java stream.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.</p>
</div>
<div class="paragraph">
<p>Check <a href="/properties-listing.html">properties configuration</a> and <a href="/ejbd-transport.html">Ejbd transport</a> for more details (tomee.serialization.class.* and tomee.remote.support).</p>
</div>
<div class="sect2">
<h3 id="_credit">Credit</h3>
<div class="paragraph">
<p>We would like to thank cpnrodzc7 who discovered it working with HP&#8217;s Zero Day Initiative</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_fixed_in_third_party">Fixed in Third-party</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Covered by <a href="http://tomee.apache.org/downloads.html">Apache TomEE 1.6.0.2</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://cxf.apache.org/security-advisories.data/CVE-2014-0109.txt.asc?version=1&amp;modificationDate=1398873370740&amp;api=v2">CVE-2014-0109</a>: HTML content posted to SOAP endpoint could cause OOM errors</p>
</li>
<li>
<p><a href="http://cxf.apache.org/security-advisories.data/CVE-2014-0110.txt.asc?version=1&amp;modificationDate=1398873378628&amp;api=v2">CVE-2014-0110</a>: Large invalid content could cause temporary space to fill</p>
</li>
<li>
<p><a href="http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc?version=1&amp;modificationDate=1398873385252&amp;api=v2">CVE-2014-0034</a>: The SecurityTokenService accepts certain invalid SAML Tokens as valid</p>
</li>
<li>
<p><a href="http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc?version=1&amp;modificationDate=1398873391788&amp;api=v2">CVE-2014-0035</a>: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Covered by <a href="http://tomee.apache.org/downloads.html">Apache TomEE 1.6.0.1</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p>Fixed in Tomcat 7.0.52 <em>Important: Denial of Service</em> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050">CVE-2014-0050</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Covered by <a href="http://tomee.apache.org/downloads.html">Apache TomEE 1.6.0</a></p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc?version=1&amp;modificationDate=1372324301000&amp;api=v2">CVE-2013-2160</a> - Denial of Service Attacks on Apache CXF</p>
</li>
<li>
<p><a href="http://cxf.apache.org/cve-2012-5575.html">Note on CVE-2012-5575</a> - XML Encryption backwards compatibility attack on Apache CXF.</p>
</li>
<li>
<p><a href="http://cxf.apache.org/cve-2013-0239.html">CVE-2013-0239</a> - Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_not_a_vulnerability">Not a vulnerability</h2>
<div class="sectionbody">
</div>
</div>
</div>
</div>
</div>
<div style="margin-bottom: 30px;"></div>
<footer>
<div class="container">
<div class="row">
<div class="col-sm-6 text-center-mobile">
<h3 class="white">Be simple. Be certified. Be Tomcat.</h3>
<h5 class="light regular light-white">"A good application in a good server"</h5>
<ul class="social-footer">
<li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li>
<li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li>
</ul>
<h5 class="light regular light-white">
<a href="../privacy-policy.html" class="white">Privacy Policy</a>
</h5>
</div>
<div class="col-sm-6 text-center-mobile">
<div class="row opening-hours">
<div class="col-sm-3 text-center-mobile">
<h5><a href="../latest/docs/" class="white">Documentation</a></h5>
<ul class="list-unstyled">
<li><a href="../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li>
<li><a href="../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li>
<li><a href="../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li>
<li><a href="../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../latest/examples/" class="white">Examples</a></h5>
<ul class="list-unstyled">
<li><a href="../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li>
<li><a href="../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li>
<li><a href="../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li>
<li><a href="../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../community/index.html" class="white">Community</a></h5>
<ul class="list-unstyled">
<li><a href="../community/contributors.html" class="regular light-white">Contributors</a></li>
<li><a href="../community/social.html" class="regular light-white">Social</a></li>
<li><a href="../community/sources.html" class="regular light-white">Sources</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../security/index.html" class="white">Security</a></h5>
<ul class="list-unstyled">
<li><a href="https://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li>
<li><a href="https://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li>
<li><a href="https://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="row bottom-footer text-center-mobile">
<div class="col-sm-12 light-white">
<p>Copyright &copy; 1999-2022 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</div>
</footer>
<!-- Holder for mobile navigation -->
<div class="mobile-nav">
<ul>
<li><a hef="../latest/docs/admin/index.html">Administrators</a>
<li><a hef="../latest/docs/developer/index.html">Developers</a>
<li><a hef="../latest/docs/advanced/index.html">Advanced</a>
<li><a hef="../community/index.html">Community</a>
</ul>
<a href="#" class="close-link"><i class="arrow_up"></i></a>
</div>
<!-- Scripts -->
<script src="../js/jquery-1.11.1.min.js"></script>
<script src="../js/owl.carousel.min.js"></script>
<script src="../js/bootstrap.min.js"></script>
<script src="../js/wow.min.js"></script>
<script src="../js/typewriter.js"></script>
<script src="../js/jquery.onepagenav.js"></script>
<script src="../js/tree.jquery.js"></script>
<script src="../js/highlight.pack.js"></script>
<script src="../js/main.js"></script>
</body>
</html>