You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martin Cocaro <ma...@mulesoft.com.INVALID> on 2019/10/01 14:35:49 UTC
Additional Information on Apache Tomcat CVE-2018-8037
Apache Tomcat Users Team,
The purpose of this email is to request information regarding Apache Tomcat
CVE-2018-8037 <https://www.securityfocus.com/bid/104894/info> possibly
affecting version 8.0.X (particularly 8.0.53). The CVE was made public on
22-July-2018, after being privately disclosed on 16-Jun-2018. The EOL date
of Tomcat 8.0.X was 30-Jun-2018.
Reaching out to you to get confirmation on whether the CVE is confirmed to
not affect the version 8.0.X or if the CVE was not tested against such
version at all as its EOL date preceded the public disclosure.
Your help on this matter would be greatly appreciated.
Thanks,
Martin
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Mark Thomas <ma...@apache.org>.
On 01/10/2019 18:27, Martin Cocaro wrote:
> yes, upgrading to 8.5 is work in progress, but would want to have a
> conclusive test that the same scenario fails in 8.0.X. What is the best way
> to distribute the POC code and what is required from our end to get access
> to it?
Martin,
There is no PoC and even if there was we would not release it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Martin Cocaro <ma...@mulesoft.com.INVALID>.
yes, upgrading to 8.5 is work in progress, but would want to have a
conclusive test that the same scenario fails in 8.0.X. What is the best way
to distribute the POC code and what is required from our end to get access
to it?
On Tue, Oct 1, 2019 at 1:54 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 10/1/19 12:15, Martin Cocaro wrote:
> > Thank you Chris for the answer. The EOL date and its policy made
> > me wonder if the CVE was tested it against that version.
> >
> > Is there any place I can get a POC version of the CVE test case so
> > that I can do the test myself against version 8.0.53?
> Possibly, but we won't be distributing any PoC code, here.
>
> Why not simply plan to migrate to Tomcat 8.5? The process should be
> fairly smooth.
>
> - -chris
>
> > On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
> > chris@christopherschultz.net> wrote:
> >
> > Martin,
> >
> > On 10/1/19 10:35, Martin Cocaro wrote:
> >>>> Apache Tomcat Users Team,
> >>>>
> >>>> The purpose of this email is to request information
> >>>> regarding Apache Tomcat CVE-2018-8037
> >>>> <https://www.securityfocus.com/bid/104894/info> possibly
> >>>> affecting version 8.0.X (particularly 8.0.53). The CVE was
> >>>> made public on 22-July-2018, after being privately disclosed
> >>>> on 16-Jun-2018. The EOL date of Tomcat 8.0.X was
> >>>> 30-Jun-2018.
> >>>>
> >>>> Reaching out to you to get confirmation on whether the CVE
> >>>> is confirmed to not affect the version 8.0.X or if the CVE
> >>>> was not tested against such version at all as its EOL date
> >>>> preceded the public disclosure.
> >>>>
> >>>> Your help on this matter would be greatly appreciated.
> >
> > That source you are reading (securityfocus) lists all of the
> > vulnerable versions. If you look at the Mitre report, you'll see
> > the same thing, except that they provide a *range* of versions
> > instead of just the individual ones affected.
> >
> > No Tomcat 8.0.x versions appear in the list.
> >
> > I haven't personally tested Tomcat 8.0.x against any
> > proof-of-concept code, but I do not believe it if/was vulnerable to
> > this CVE.
> >
> > -chris
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8
> pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ
> xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo
> 6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1
> x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe
> a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN
> Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv
> MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S
> bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds
> DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4
> UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7
> SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc=
> =RjHm
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 10/1/19 12:15, Martin Cocaro wrote:
> Thank you Chris for the answer. The EOL date and its policy made
> me wonder if the CVE was tested it against that version.
>
> Is there any place I can get a POC version of the CVE test case so
> that I can do the test myself against version 8.0.53?
Possibly, but we won't be distributing any PoC code, here.
Why not simply plan to migrate to Tomcat 8.5? The process should be
fairly smooth.
- -chris
> On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
>>>> Apache Tomcat Users Team,
>>>>
>>>> The purpose of this email is to request information
>>>> regarding Apache Tomcat CVE-2018-8037
>>>> <https://www.securityfocus.com/bid/104894/info> possibly
>>>> affecting version 8.0.X (particularly 8.0.53). The CVE was
>>>> made public on 22-July-2018, after being privately disclosed
>>>> on 16-Jun-2018. The EOL date of Tomcat 8.0.X was
>>>> 30-Jun-2018.
>>>>
>>>> Reaching out to you to get confirmation on whether the CVE
>>>> is confirmed to not affect the version 8.0.X or if the CVE
>>>> was not tested against such version at all as its EOL date
>>>> preceded the public disclosure.
>>>>
>>>> Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see
> the same thing, except that they provide a *range* of versions
> instead of just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any
> proof-of-concept code, but I do not believe it if/was vulnerable to
> this CVE.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8
pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ
xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo
6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1
x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe
a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN
Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv
MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S
bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds
DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4
UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7
SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc=
=RjHm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Martin Cocaro <ma...@mulesoft.com.INVALID>.
Thank you Chris for the answer. The EOL date and its policy made me wonder
if the CVE was tested it against that version.
Is there any place I can get a POC version of the CVE test case so that I
can do the test myself against version 8.0.53?
On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
> > Apache Tomcat Users Team,
> >
> > The purpose of this email is to request information regarding
> > Apache Tomcat CVE-2018-8037
> > <https://www.securityfocus.com/bid/104894/info> possibly affecting
> > version 8.0.X (particularly 8.0.53). The CVE was made public on
> > 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> > EOL date of Tomcat 8.0.X was 30-Jun-2018.
> >
> > Reaching out to you to get confirmation on whether the CVE is
> > confirmed to not affect the version 8.0.X or if the CVE was not
> > tested against such version at all as its EOL date preceded the
> > public disclosure.
> >
> > Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see the
> same thing, except that they provide a *range* of versions instead of
> just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> code, but I do not believe it if/was vulnerable to this CVE.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8
> pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63
> +MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb
> Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7
> 3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR
> atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr
> Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT
> LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN
> w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH
> BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc
> +8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb
> H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w=
> =mT+v
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Martin Cocaro <ma...@mulesoft.com.INVALID>.
Thank you for the confirmation! Much appreciated.
On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas <ma...@apache.org> wrote:
> > Martin,
> >
> > On 10/1/19 10:35, Martin Cocaro wrote:
> >> Apache Tomcat Users Team,
> >
> >> The purpose of this email is to request information regarding
> >> Apache Tomcat CVE-2018-8037
> >> <https://www.securityfocus.com/bid/104894/info> possibly affecting
> >> version 8.0.X (particularly 8.0.53). The CVE was made public on
> >> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> >> EOL date of Tomcat 8.0.X was 30-Jun-2018.
> >
> >> Reaching out to you to get confirmation on whether the CVE is
> >> confirmed to not affect the version 8.0.X or if the CVE was not
> >> tested against such version at all as its EOL date preceded the
> >> public disclosure.
> >
> >> Your help on this matter would be greatly appreciated.
> >
> > That source you are reading (securityfocus) lists all of the
> > vulnerable versions. If you look at the Mitre report, you'll see the
> > same thing, except that they provide a *range* of versions instead of
> > just the individual ones affected.
> >
> > No Tomcat 8.0.x versions appear in the list.
> >
> > I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> > code, but I do not believe it if/was vulnerable to this CVE.
>
> I've just been reading through the internal discussion for
> CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
> vulnerable.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Mark Thomas <ma...@apache.org>.
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
>> Apache Tomcat Users Team,
>
>> The purpose of this email is to request information regarding
>> Apache Tomcat CVE-2018-8037
>> <https://www.securityfocus.com/bid/104894/info> possibly affecting
>> version 8.0.X (particularly 8.0.53). The CVE was made public on
>> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
>> EOL date of Tomcat 8.0.X was 30-Jun-2018.
>
>> Reaching out to you to get confirmation on whether the CVE is
>> confirmed to not affect the version 8.0.X or if the CVE was not
>> tested against such version at all as its EOL date preceded the
>> public disclosure.
>
>> Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see the
> same thing, except that they provide a *range* of versions instead of
> just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> code, but I do not believe it if/was vulnerable to this CVE.
I've just been reading through the internal discussion for
CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
vulnerable.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Additional Information on Apache Tomcat CVE-2018-8037
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 10/1/19 10:35, Martin Cocaro wrote:
> Apache Tomcat Users Team,
>
> The purpose of this email is to request information regarding
> Apache Tomcat CVE-2018-8037
> <https://www.securityfocus.com/bid/104894/info> possibly affecting
> version 8.0.X (particularly 8.0.53). The CVE was made public on
> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> EOL date of Tomcat 8.0.X was 30-Jun-2018.
>
> Reaching out to you to get confirmation on whether the CVE is
> confirmed to not affect the version 8.0.X or if the CVE was not
> tested against such version at all as its EOL date preceded the
> public disclosure.
>
> Your help on this matter would be greatly appreciated.
That source you are reading (securityfocus) lists all of the
vulnerable versions. If you look at the Mitre report, you'll see the
same thing, except that they provide a *range* of versions instead of
just the individual ones affected.
No Tomcat 8.0.x versions appear in the list.
I haven't personally tested Tomcat 8.0.x against any proof-of-concept
code, but I do not believe it if/was vulnerable to this CVE.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8
pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63
+MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb
Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7
3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR
atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr
Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT
LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN
w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH
BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc
+8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb
H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w=
=mT+v
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org