Apache TomEE vulnerabilities

This page lists all security vulnerabilities fixed in maintenance releases or interim builds of Apache TomEE 1.x. Each vulnerability is given a security impact rating by either the Apache TomEE team or by the dependent project supplying the fix - please note that this rating is not uniform and will vary from project to project. We also list the versions of Apache TomEE the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not TomEE vulnerabilities but have either been incorrectly reported against TomEE or where TomEE provides a workaround are listed bellow in the section "Not a vulnerability".

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache TomEE version that you are using. For TomEE 1.x those are Building TomEE 1.x.

If you need help on building or configuring TomEE or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Users mailing list

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache TomEE 7.0.1

Fixed in Apache TomEE 7.0.0-M3 and 1.7.4

TomEE was subject until versions 1.7.3 and 7.0.0-M1 included to the 0-day vulnerability. Note that even if fixed in 7.0.0-M2 we recommand you to upgrade to the 7.0.0-M3 which includes a better fix for that (better defaults).

This issue only affects you if you rely on EJBd protocol (proprietary remote EJB protocol). This one one is not activated by default on the 7.x series but it was on the 1.x ones.

The related CVE numbers are:

This has been fixed in commit 58cdbbef9c77ab2b44870f9d606593b49cde76d9.

Check properties configuration and Ejbd transport for more details (tomee.serialization.class.* and tomee.remote.support).


We would like to thank cpnrodzc7 who discovered it working with HP's Zero Day Initiative

Fixed in Third-party

Covered by Apache TomEE

Covered by Apache TomEE

Covered by Apache TomEE 1.6.0

Not a vulnerability