Skip to main content

Apache TomEE 1.0.x Support

Common Vulnerabilities & Exposures (CVE)

First release: 2012-04-27
Support Lifecycle: Unsupported
CVEs: 131
Namespace: javax
Get Support

What Versions do we cover?


1.0.0

Latest Apache TomEE 1.0.x CVEs

CVE
Severity
Description
Category
Affected
CVE-2024-28752
2024-03-08
0.0
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
datafunctional
CWE-918
Details
CVE-2023-46589
2023-10-23
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
dataoperational
CWE-444
Details
CVE-2023-46604
2023-10-24
10.0
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
dataoperational
CWE-502:
Details
CVE-2023-44483
2023-09-29
7.4
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
configurationfunctional
CWE-532
Details
CVE-2023-42795
2023-09-14
5.9
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
dataoperational
CWE-459
Details

Most Critical Apache TomEE 1.0.x CVEs

CVE
Severity
Description
Category
Affected
CVE-2015-5254
2015-07-01
9.8
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
data
n/a
Details
CVE-2019-13990
2019-07-19
9.8
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
data
n/a
Details
CVE-2020-1938
2019-12-02
9.8
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
dataoperational
AJP Request Injection leading to possible Remote Code Execution
Details
CVE-2022-41853
2022-09-30
9.8
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
data
CWE-470
Details
CVE-2022-46364
2022-12-02
9.6
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
dataoperational
CWE-918
Details

What We Deliver

Migration support

Production & Development support

1 hr response-time

Unlimited support incidents

5 languages supported

Fast bug fixes & security patch turnaround

Enterprise Support Details

Subscription Level
Bronze
Silver
Gold
Core Count
64 cores
120 cores
248 cores
Apache Tomcat
Apache TomEE
Apache ActiveMQ
Tribestream API Gateway
SLA
24x7
24x7
24x7
Response Time
1hr
1hr
1hr
Incidents
unlimited
unlimited
unlimited
CVE Patching
unlimited
unlimited
unlimited
Developer Questions
1 parallel
2 parallel
4 parallel
Admin Contacts
2
3
4
Phone, Email, Portal
Professional Services
3 days
5 days
10 days
Training
2 days
3 days
5 days
Feature Development
10 days
17 days
25 days