You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Su...@emc.com on 2005/03/21 21:42:17 UTC
CERT Vulnerability Note VU#204710 on Tomcat 3.x
Hi,
CERT released a vulnerability note on Tomcat 3.x last week.
See the following url for details:
http://www.kb.cert.org/vuls/id/204710
We are running two configurations of Apache and Tomcat:
Apache v1.3.27 with Tomcat v4.1.29
Apache v1.3.27 with Tomcat v4.0.6
I'm trying to determine if these versions of Tomcat are vulnerable. Can
anyone confirm or deny?
If you like, respond to summers_ed () emc ! com
Thanks,
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x
Posted by Jess Holle <je...@ptc.com>.
Bill Barker wrote:
>"Jess Holle" <je...@ptc.com> wrote in message
>news:423F69C8.5000608@ptc.com...
>
>
>>This vulnerability note has to be amongst the most vague and least
>>informative I've ever seen. It says that Tomcat 3.x and AJP12 has an
>>issue and that the issue is not present in Tomcat 5.
>>
>>What about Tomcat 4 and 4.1? What about AJP13? The report simply does
>>not address any of these variations.
>>
>>
>AJP12 is deprecated in Tomcat 3.3.x, and isn't supported at all in Tomcat >=
>4.
>
I know, which is why I was rather critical of the vulnerability note.
It raises general fears and questions but only sheds very little light
on the situation for anyone not using Tomcat 5.
>At a guess, the AJP13 variant of it is http://issues.apache.org/bugzilla/show_bug.cgi?id=31204.
>
>
That sounds logical. Of course, a firewall seems like a better solution
to the whole class of issues here.
>>On the other hand, any production installation should block communication
>>on the AJP 12 or AJP13 port except where it is coming from Apache. This
>>completely addresses the vulnerability irrespective of version.
>>
>>
--
Jess Holle
Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x
Posted by Bill Barker <wb...@wilshire.com>.
"Jess Holle" <je...@ptc.com> wrote in message
news:423F69C8.5000608@ptc.com...
> This vulnerability note has to be amongst the most vague and least
> informative I've ever seen. It says that Tomcat 3.x and AJP12 has an
> issue and that the issue is not present in Tomcat 5.
>
> What about Tomcat 4 and 4.1? What about AJP13? The report simply does
> not address any of these variations.
AJP12 is deprecated in Tomcat 3.3.x, and isn't supported at all in Tomcat >=
4. At a guess, the AJP13 variant of it is
http://issues.apache.org/bugzilla/show_bug.cgi?id=31204.
>
> On the other hand, any production installation should block communication
> on the AJP 12 or AJP13 port except where it is coming from Apache. This
> completely addresses the vulnerability irrespective of version.
>
> --
> Jess Holle
>
> Summers_Ed@emc.com wrote:
>
>>Hi,
>>
>>CERT released a vulnerability note on Tomcat 3.x last week. See the
>>following url for details:
>>
>>http://www.kb.cert.org/vuls/id/204710
>>
>>We are running two configurations of Apache and Tomcat:
>>Apache v1.3.27 with Tomcat v4.1.29
>>Apache v1.3.27 with Tomcat v4.0.6
>>
>>I'm trying to determine if these versions of Tomcat are vulnerable. Can
>>anyone confirm or deny?
>>
>>If you like, respond to summers_ed () emc ! com
>>Thanks,
>>Ed
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x
Posted by Jess Holle <je...@ptc.com>.
This vulnerability note has to be amongst the most vague and least
informative I've ever seen. It says that Tomcat 3.x and AJP12 has an
issue and that the issue is not present in Tomcat 5.
What about Tomcat 4 and 4.1? What about AJP13? The report simply does
not address any of these variations.
On the other hand, any production installation should block
communication on the AJP 12 or AJP13 port except where it is coming from
Apache. This completely addresses the vulnerability irrespective of
version.
--
Jess Holle
Summers_Ed@emc.com wrote:
>Hi,
>
>CERT released a vulnerability note on Tomcat 3.x last week.
>See the following url for details:
>
>http://www.kb.cert.org/vuls/id/204710
>
>We are running two configurations of Apache and Tomcat:
>Apache v1.3.27 with Tomcat v4.1.29
>Apache v1.3.27 with Tomcat v4.0.6
>
>I'm trying to determine if these versions of Tomcat are vulnerable. Can
>anyone confirm or deny?
>
>If you like, respond to summers_ed () emc ! com
>
>Thanks,
>Ed
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org