Question Regarding CVE-2013-4444

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question Regarding CVE-2013-4444

Jason Core
To remedy CVE-2013-4444, can users just upgrade their version of Oracle Java
to 8 and not have to upgrade their version of TomEE.

We are currently on Apache TomEE 1.7.0

In post below it looks as if we can do either – upgrade TomEE version or
upgrade Java version.

https://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulnerability/108192/




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Question Regarding CVE-2013-4444

Romain Manni-Bucau
Hi Jason, it is a or


Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>

2017-09-06 23:37 GMT+02:00 Jason Core <[hidden email]>:

> To remedy CVE-2013-4444, can users just upgrade their version of Oracle
> Java
> to 8 and not have to upgrade their version of TomEE.
>
> We are currently on Apache TomEE 1.7.0
>
> In post below it looks as if we can do either – upgrade TomEE version or
> upgrade Java version.
>
> https://threatpost.com/apache-warns-of-tomcat-remote-code-
> execution-vulnerability/108192/
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-
> f979441.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Question Regarding CVE-2013-4444

agumbrecht
In reply to this post by Jason Core
If you want to remain on Java 7 then ensure you are using at least 7.26
or later.

Moving to TomEE 1.7.x onto Java 8 should not be performed without
extensive testing of production system, but it should be OK.

You could also just upgrade to TomEE 1.7.4 - You may need to adjust the
'tomee.serialization.class.whitelist' System property - See here:
http://tomee.apache.org/ejbd-transport.html

Andy.

On 06/09/17 23:37, Jason Core wrote:

> To remedy CVE-2013-4444, can users just upgrade their version of Oracle Java
> to 8 and not have to upgrade their version of TomEE.
>
> We are currently on Apache TomEE 1.7.0
>
> In post below it looks as if we can do either – upgrade TomEE version or
> upgrade Java version.
>
> https://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulnerability/108192/
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html

    --
    Andy Gumbrecht

    http://www.tomitribe.com
    agumbrecht@tomitribe.com
    https://twitter.com/AndyGeeDe

    TomEE treibt Tomitribe ! | http://tomee.apache.org