CVE-2016-0779

Severity

8.5

Description

The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Also the EJBd can be disabled by following the steps in the reference.

Reference: [http://tomee.apache.org/ejbd-transport.html](http://tomee.apache.org/ejbd-transport.html)

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0779

http://tomee.apache.org/ejbd-transport.html

http://tomee.apache.org/security/tomee.html

https://www.tenable.com/pvs-plugins/9323

Project

Category

n/a

Tags

data

operational

Date Disclosed

2017-04-11

Date Discovered

2015-12-16

Apache TomEE 1.7.x

First release:

2014-08-09

0

Support Lifecycle:

Namespace:

javax

1.7.0 1.7.1 1.7.2 1.7.3

Apache TomEE 1.6.x

First release:

2013-11-17

0

Support Lifecycle:

Namespace:

javax

1.6.0 1.6.0.1 1.6.0.2

Apache TomEE 1.5.x

First release:

2012-09-28

0

Support Lifecycle:

Namespace:

javax

1.5.0 1.5.1 1.5.2

Apache TomEE 1.0.x

First release:

2012-04-27

0

Support Lifecycle:

Namespace:

javax

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.