You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Bradley, Richard" <rm...@blm.gov> on 2018/06/20 17:16:36 UTC
Configuring CORS filter
Hello,
Tomcat version: 8.5.31
O/S: Windows Server 2008 R2
McAfee vulnerability checker has reported a MEDIUM level vulnerability as
follows:
Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
[FID 23621]
Apache Software Foundation reports this in announce@tomcat.apache.org
<ht...@tomcat.apache.org>:
CVE-2018-8014 Insecure defaults for CORS filter
and the only mitigation is to "Configure the filter appropriately for your
environment"
My question is:
What if you don't have a CORS filter configured anywhere in the Tomcat and
web apps associated web.xml files?
It seems that if you explicitly configure a minimum filter specified in the
documentation
(https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter)
then you have to be concerned about the cors.support.credentials allowing
the default of "true".
Thanks,
Rick
--
Richard M. Bradley (Rick)
*Geospatial Engineer*
BLM NOC EGIS
Sanborn Map Company, Inc.
Phone number: (303) 236-4538
rmbradley@blm.gov
"Decide that you want it more than you're afraid of it. Your greatest
dreams are all on the other side of the wall of fear and caution."
- Unknown
This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.
Re: [EXTERNAL] Re: Configuring CORS filter
Posted by "Bradley, Richard" <rm...@blm.gov>.
Thank you Mark! For the quick reply! Yeah...Apache reports it as LOW and
they report as MEDIUM. We have to mitigate all MEDIUM and HIGH
vulnerabilities.
Best regards,
Rick
On Wed, Jun 20, 2018 at 1:00 PM, Mark Thomas <ma...@apache.org> wrote:
> On 20/06/18 18:16, Bradley, Richard wrote:
> > Hello,
> >
> > Tomcat version: 8.5.31
> > O/S: Windows Server 2008 R2
> >
> > McAfee vulnerability checker has reported a MEDIUM level vulnerability as
> > follows:
> >
> > Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
> > [FID 23621]
> >
> > Apache Software Foundation reports this in announce@tomcat.apache.org
> > <ht...@tomcat.apache.org>:
> >
> > CVE-2018-8014 Insecure defaults for CORS filter
> >
> > and the only mitigation is to "Configure the filter appropriately for
> your
> > environment"
> >
> > My question is:
> >
> > What if you don't have a CORS filter configured anywhere in the Tomcat
> and
> > web apps associated web.xml files?
>
> You have nothing to worry about.
>
> Well, apart from the poor quality of your vulnerability scanner that
> looks like it is reporting a CORS issue without checking to see if CORS
> headers are being sent.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
Richard M. Bradley (Rick)
*Geospatial Engineer*
BLM NOC EGIS
Sanborn Map Company, Inc.
Phone number: (303) 236-4538
rmbradley@blm.gov
"Decide that you want it more than you're afraid of it. Your greatest
dreams are all on the other side of the wall of fear and caution."
- Unknown
This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.
Re: Configuring CORS filter
Posted by Mark Thomas <ma...@apache.org>.
On 20/06/18 18:16, Bradley, Richard wrote:
> Hello,
>
> Tomcat version: 8.5.31
> O/S: Windows Server 2008 R2
>
> McAfee vulnerability checker has reported a MEDIUM level vulnerability as
> follows:
>
> Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
> [FID 23621]
>
> Apache Software Foundation reports this in announce@tomcat.apache.org
> <ht...@tomcat.apache.org>:
>
> CVE-2018-8014 Insecure defaults for CORS filter
>
> and the only mitigation is to "Configure the filter appropriately for your
> environment"
>
> My question is:
>
> What if you don't have a CORS filter configured anywhere in the Tomcat and
> web apps associated web.xml files?
You have nothing to worry about.
Well, apart from the poor quality of your vulnerability scanner that
looks like it is reporting a CORS issue without checking to see if CORS
headers are being sent.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org