Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5

["James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>]

On 7/2/21 12:02 AM, Mark Thomas wrote:

> It is an alternative session manager that persists session data via a 
> configured Store. There are two Store implementations provided by 
> default - File and DataSource.
> 
> You would know if you were using it as it requires explicit configuration.

Thanks for the specific documentation link; I would not have known where 
to look in the docs. My friends and colleagues seem to think I have 
brilliant research skills; in fact, I simply have no qualms about asking 
for help.

Our webapp totally lacks a "context.xml" (I looked for one) but I see 
such files, with Manager elements, in the manager and host-manager 
webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?

Incidentally, speaking of those webapps, when installing, we immediately 
jettison all as-shipped webapps *except* manager and host-manager. We 
use manager all the time, but I'm not even sure what host-manager does.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5

[Mark Thomas <ma...@apache.org>]

On 02/07/2021 16:44, James H. H. Lampert wrote:
> On 7/2/21 12:02 AM, Mark Thomas wrote:
> 
>> It is an alternative session manager that persists session data via a 
>> configured Store. There are two Store implementations provided by 
>> default - File and DataSource.
>>
>> You would know if you were using it as it requires explicit 
>> configuration.
> 
> Thanks for the specific documentation link; I would not have known where 
> to look in the docs. My friends and colleagues seem to think I have 
> brilliant research skills; in fact, I simply have no qualms about asking 
> for help.
> 
> Our webapp totally lacks a "context.xml" (I looked for one) but I see 
> such files, with Manager elements, in the manager and host-manager 
> webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?

Not unless you have changed the default configuration to use the 
persistent manager (via the className attribute).

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5

[Christopher Schultz <ch...@christopherschultz.net>]

James,

On 7/2/21 11:44, James H. H. Lampert wrote:
> On 7/2/21 12:02 AM, Mark Thomas wrote:
> 
>> It is an alternative session manager that persists session data via a 
>> configured Store. There are two Store implementations provided by 
>> default - File and DataSource.
>>
>> You would know if you were using it as it requires explicit 
>> configuration.
> 
> Thanks for the specific documentation link; I would not have known where 
> to look in the docs. My friends and colleagues seem to think I have 
> brilliant research skills; in fact, I simply have no qualms about asking 
> for help.
> 
> Our webapp totally lacks a "context.xml" (I looked for one) but I see 
> such files, with Manager elements, in the manager and host-manager 
> webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?
> 
> Incidentally, speaking of those webapps, when installing, we immediately 
> jettison all as-shipped webapps *except* manager and host-manager. We 
> use manager all the time, but I'm not even sure what host-manager does.

I honestly have never seen a real-world use-case for where the 
host-manager is useful. I'm sure its critically important for somebody 
out there, though.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org