Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache TomEE 1.x < 1.7.4 / 7.x < 7.0.0-M3 Multiple RCE

Critical

Synopsis

The remote web server is running Apache TomEE.

Description

The remote web server is running Apache TomEE 1.x prior to 1.7.4 or 7.x prior to 7.0.0-M3 and is affected by two RCE vulnerabilities :

- A flaw exists in 'EjbObjectInputStream' that is triggered during the deserialization of Java serialized input in the binary stream. This may allow a remote attacker to execute arbitrary code. (CVE-2015-8581) - A flaw in the EJBd protocol that is triggered during the deserialization of crafted Java Objects. This may allow a remote attacker to execute arbitrary code. Exploitation requires that EJBd is enabled on an instance (the default setting) (CVE-2016-0779)

Solution

Upgrade Apache TomEE to version 7.0.0-M3. If version 7.x cannot be obtained, version 1.7.4 is also patched for this issue.