You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID> on 2021/07/02 15:44:39 UTC
Re: CVE-2021-25329, was Re: Most recent security-related update to
8.5
On 7/2/21 12:02 AM, Mark Thomas wrote:
> It is an alternative session manager that persists session data via a
> configured Store. There are two Store implementations provided by
> default - File and DataSource.
>
> You would know if you were using it as it requires explicit configuration.
Thanks for the specific documentation link; I would not have known where
to look in the docs. My friends and colleagues seem to think I have
brilliant research skills; in fact, I simply have no qualms about asking
for help.
Our webapp totally lacks a "context.xml" (I looked for one) but I see
such files, with Manager elements, in the manager and host-manager
webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?
Incidentally, speaking of those webapps, when installing, we immediately
jettison all as-shipped webapps *except* manager and host-manager. We
use manager all the time, but I'm not even sure what host-manager does.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2021-25329, was Re: Most recent security-related update to
8.5
Posted by Mark Thomas <ma...@apache.org>.
On 02/07/2021 16:44, James H. H. Lampert wrote:
> On 7/2/21 12:02 AM, Mark Thomas wrote:
>
>> It is an alternative session manager that persists session data via a
>> configured Store. There are two Store implementations provided by
>> default - File and DataSource.
>>
>> You would know if you were using it as it requires explicit
>> configuration.
>
> Thanks for the specific documentation link; I would not have known where
> to look in the docs. My friends and colleagues seem to think I have
> brilliant research skills; in fact, I simply have no qualms about asking
> for help.
>
> Our webapp totally lacks a "context.xml" (I looked for one) but I see
> such files, with Manager elements, in the manager and host-manager
> webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?
Not unless you have changed the default configuration to use the
persistent manager (via the className attribute).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CVE-2021-25329, was Re: Most recent security-related update to
8.5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
James,
On 7/2/21 11:44, James H. H. Lampert wrote:
> On 7/2/21 12:02 AM, Mark Thomas wrote:
>
>> It is an alternative session manager that persists session data via a
>> configured Store. There are two Store implementations provided by
>> default - File and DataSource.
>>
>> You would know if you were using it as it requires explicit
>> configuration.
>
> Thanks for the specific documentation link; I would not have known where
> to look in the docs. My friends and colleagues seem to think I have
> brilliant research skills; in fact, I simply have no qualms about asking
> for help.
>
> Our webapp totally lacks a "context.xml" (I looked for one) but I see
> such files, with Manager elements, in the manager and host-manager
> webapps. Are they affected by CVE-2021-25329/CVE-2020-9484?
>
> Incidentally, speaking of those webapps, when installing, we immediately
> jettison all as-shipped webapps *except* manager and host-manager. We
> use manager all the time, but I'm not even sure what host-manager does.
I honestly have never seen a real-world use-case for where the
host-manager is useful. I'm sure its critically important for somebody
out there, though.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org