tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Gumbrecht <agumbre...@tomitribe.com>
Subject Re: Question Regarding CVE-2013-4444
Date Wed, 06 Sep 2017 21:46:29 GMT
If you want to remain on Java 7 then ensure you are using at least 7.26 
or later.

Moving to TomEE 1.7.x onto Java 8 should not be performed without 
extensive testing of production system, but it should be OK.

You could also just upgrade to TomEE 1.7.4 - You may need to adjust the 
'tomee.serialization.class.whitelist' System property - See here: 
http://tomee.apache.org/ejbd-transport.html

Andy.

On 06/09/17 23:37, Jason Core wrote:
> To remedy CVE-2013-4444, can users just upgrade their version of Oracle Java
> to 8 and not have to upgrade their version of TomEE.
>
> We are currently on Apache TomEE 1.7.0
>
> In post below it looks as if we can do either – upgrade TomEE version or
> upgrade Java version.
>
> https://threatpost.com/apache-warns-of-tomcat-remote-code-execution-vulnerability/108192/
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html


Mime
View raw message