You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Donald Woods (JIRA)" <ji...@apache.org> on 2007/10/24 03:44:50 UTC
[jira] Created: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
Potential vulnerability in Apache Tomcat Webdav servlet
-------------------------------------------------------
Key: GERONIMO-3549
URL: https://issues.apache.org/jira/browse/GERONIMO-3549
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: Tomcat
Affects Versions: 2.0.2, 2.0.1, 2.0, 1.1.1, 1.2, 2.0.x, 2.1
Reporter: Donald Woods
Fix For: 2.0.x, 2.1
Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
Date: Thu, 18 Oct 2007 13:40:24 -0400
From: Kevan Miller <ke...@gmail.com>
Reply-To: dev@geronimo.apache.org
To: Geronimo Dev <de...@geronimo.apache.org>
The Geronimo project has learned of a security vulnerability in the
Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
configuration of Geronimo and configure a write-enabled Webdav servlet,
you may be affected by this vulnerability. If you do not configure the
Webdav servlet or configure read-only Webdav servlets, you are not
impacted by this vulnerability. Jetty configurations of Geronimo are not
affected by this vulnerability.
This vulnerability impacts all Geronimo releases. Up to and including
Geronimo 2.0.2.
For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
By default, Geronimo releases do not use the Webdav servlet. However, it
is possible for the Webdav Servlet to be configured or referenced by a
user-written application.
The Webdav Servlet could be explicitly configured in a web.xml
<http://web.xml/> deployment descriptor as follows:
...
<servlet>
<servlet-name>webdav</servlet-name>
<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
Alternatively, a user's application could extend the WebdavServlet, for
example:
import org.apache.catalina.servlets.WebdavServlet;
public class MyServlet extends WebdavServlet {
...
If you configure a write-enabled Webdav servlet, we recommend that you:
- Disable write access to the Webdav Servlet until this problem has
been fixed, or
- Limit access to the Webdav servlet to only trusted users.
This vulnerability will be fixed in the next release of Geronimo (2.0.3
and/or 2.1).
--kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
Posted by "Jay D. McHugh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jay D. McHugh resolved GERONIMO-3549.
-------------------------------------
Resolution: Fixed
Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue.
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.x, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <ke...@gmail.com>
> Reply-To: dev@geronimo.apache.org
> To: Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
Posted by "Jay D. McHugh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jay D. McHugh closed GERONIMO-3549.
-----------------------------------
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.x, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <ke...@gmail.com>
> Reply-To: dev@geronimo.apache.org
> To: Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
Posted by "Joe Bohn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joe Bohn updated GERONIMO-3549:
-------------------------------
Affects Version/s: (was: 2.0.x)
Fix Version/s: (was: 2.0.x)
2.0.3
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.3, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <ke...@gmail.com>
> Reply-To: dev@geronimo.apache.org
> To: Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (GERONIMO-3549) Potential vulnerability in Apache
Tomcat Webdav servlet
Posted by "Jay D. McHugh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jay D. McHugh reassigned GERONIMO-3549:
---------------------------------------
Assignee: Jay D. McHugh
> Potential vulnerability in Apache Tomcat Webdav servlet
> -------------------------------------------------------
>
> Key: GERONIMO-3549
> URL: https://issues.apache.org/jira/browse/GERONIMO-3549
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1
> Reporter: Donald Woods
> Assignee: Jay D. McHugh
> Fix For: 2.0.x, 2.1
>
>
> Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
> Date: Thu, 18 Oct 2007 13:40:24 -0400
> From: Kevan Miller <ke...@gmail.com>
> Reply-To: dev@geronimo.apache.org
> To: Geronimo Dev <de...@geronimo.apache.org>
> The Geronimo project has learned of a security vulnerability in the
> Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
> configuration of Geronimo and configure a write-enabled Webdav servlet,
> you may be affected by this vulnerability. If you do not configure the
> Webdav servlet or configure read-only Webdav servlets, you are not
> impacted by this vulnerability. Jetty configurations of Geronimo are not
> affected by this vulnerability.
> This vulnerability impacts all Geronimo releases. Up to and including
> Geronimo 2.0.2.
> For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e
> By default, Geronimo releases do not use the Webdav servlet. However, it
> is possible for the Webdav Servlet to be configured or referenced by a
> user-written application.
> The Webdav Servlet could be explicitly configured in a web.xml
> <http://web.xml/> deployment descriptor as follows:
> ...
> <servlet>
> <servlet-name>webdav</servlet-name>
> <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
> <init-param>
> <param-name>readonly</param-name>
> <param-value>false</param-value>
> </init-param>
> </servlet>
> Alternatively, a user's application could extend the WebdavServlet, for
> example:
> import org.apache.catalina.servlets.WebdavServlet;
> public class MyServlet extends WebdavServlet {
> ...
>
> If you configure a write-enabled Webdav servlet, we recommend that you:
> - Disable write access to the Webdav Servlet until this problem has
> been fixed, or
> - Limit access to the Webdav servlet to only trusted users.
> This vulnerability will be fixed in the next release of Geronimo (2.0.3
> and/or 2.1).
> --kevan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.