You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Jay D. McHugh (JIRA)" <ji...@apache.org> on 2008/01/24 02:01:12 UTC

[jira] Resolved: (GERONIMO-3549) Potential vulnerability in Apache Tomcat Webdav servlet

     [ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jay D. McHugh resolved GERONIMO-3549.
-------------------------------------

    Resolution: Fixed

Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue.

> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
>                 Key: GERONIMO-3549
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3549
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
>            Reporter: Donald Woods
>            Assignee: Jay D. McHugh
>             Fix For: 2.0.x, 2.1
>
>
> Subject: 	[SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: 	Thu, 18 Oct 2007 13:40:24 -0400
> From: 	Kevan Miller <ke...@gmail.com>
> Reply-To: 	dev@geronimo.apache.org
> To: 	Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the 
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat 
> configuration of Geronimo and configure a write-enabled Webdav servlet, 
> you may be affected by this vulnerability. If you do not configure the 
> Webdav servlet or configure read-only Webdav servlets, you are not 
> impacted by this vulnerability. Jetty configurations of Geronimo are not 
> affected by this vulnerability. 
> This vulnerability impacts all Geronimo releases. Up to and including 
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it 
> is possible for the Webdav Servlet to be configured or referenced by a 
> user-written application. 
> The Webdav Servlet could be explicitly configured in a web.xml 
> <http://web.xml/> deployment descriptor as follows:
>          ...
>     <servlet>
>         <servlet-name>webdav</servlet-name>
>         <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
>         <init-param>
>           <param-name>readonly</param-name>
>           <param-value>false</param-value>
>         </init-param>
>     </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for 
> example:
>         import org.apache.catalina.servlets.WebdavServlet;
>         public class MyServlet extends WebdavServlet {
>    ...
>    
> If you configure a write-enabled Webdav servlet, we recommend that you:
>   - Disable write access to the Webdav Servlet until this problem has 
> been fixed, or
>   - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3 
> and/or 2.1). 
> --kevan

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.