This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache TomEE 1.x. Each vulnerability is given a security impact rating by either the Apache TomEE team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache TomEE the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Note: Vulnerabilities that are not TomEE vulnerabilities but have either been incorrectly reported against TomEE or where TomEE provides a workaround are listed bellow in the section "Not a vulnerability".
Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache TomEE version that you are using. For TomEE 1.x those are Building TomEE 1.x.
If you need help on building or configuring TomEE or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Users mailing list
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.
TomEE was subject until versions 1.7.3 and 7.0.0-M1 included to the 0-day vulnerability. Note that even if fixed in 7.0.0-M2 we recommand you to upgrade to the 7.0.0-M3 which includes a better fix for that (better defaults).
This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series but it was on the 1.x ones.
The related CVE numbers are:
This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.
We would like to thank cpnrodzc7 who discovered it working with HP's Zero Day Initiative
Covered by Apache TomEE 22.214.171.124
Covered by Apache TomEE 126.96.36.199
Covered by Apache TomEE 1.6.0
All edits are reviewed before going live, so feel free to do much more than fix typos or links. If you see a page that could benefit from an entire rewrite, we'd be thrilled to review it. Don't be surprised if we like it so much we ask you for help with other pages :)NOTICE: unless indicated otherwise on the pages in question, all editable content available from apache.org is presumed to be licensed under the Apache License (AL) version 2.0 and hence all submissions to apache.org treated as formal Contributions under the license terms.