You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Jay D. McHugh (JIRA)" <ji...@apache.org> on 2008/01/24 02:01:12 UTC
[jira] Resolved: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jay D. McHugh resolved GERONIMO-3549.
-------------------------------------
Resolution: Fixed
Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue.
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.x, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <ke...@gmail.com>
> Reply-To: dev@geronimo.apache.org
> To: Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.