You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Durga Srinivasu Karuturi <du...@gmail.com> on 2017/06/22 15:46:21 UTC
Reg CVE-2017-5664
Hi,
We are using tomcat 8.5.14.
As this CVE-2017-5664
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664> is applicable
for current tomcat version, we are trying to evaluate whethere this CVE is
applicable to our web application or not.
We have couple of JSP error pages. Tested those all are severed as GET.
Also we have custom error Servlet handler configured and in that also, we
do handle it as GET only.
There are no static error files configured in our web application.
With these can be take this CVE is not application to our web application
with 8.5.14 tomcat?
Please suggest.
Thanks,
Durga Srinivasu
Re: Reg CVE-2017-5664
Posted by Durga Srinivasu Karuturi <du...@gmail.com>.
No, we are using RHEL with embed tomcat running inside java.
Thanks,
Durga Srinivasu
On Thu, Jun 22, 2017 at 10:03 PM, Emmanuel Bourg <eb...@apache.org> wrote:
> Le 22/06/2017 à 17:46, Durga Srinivasu Karuturi a écrit :
>
> > We are using tomcat 8.5.14.
>
> From Debian 9? If so this has been patched today:
>
> https://www.debian.org/security/2017/dsa-3891
>
> Emmanuel Bourg
>
Re: Reg CVE-2017-5664
Posted by Emmanuel Bourg <eb...@apache.org>.
Le 22/06/2017 à 17:46, Durga Srinivasu Karuturi a écrit :
> We are using tomcat 8.5.14.
From Debian 9? If so this has been patched today:
https://www.debian.org/security/2017/dsa-3891
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reg CVE-2017-5664
Posted by Durga Srinivasu Karuturi <du...@gmail.com>.
Thanks mark.
Checked Error Servlet, handled doGet() and doPost() only. doPost()
internally calling doGet().
Yes for PUT/DELTE we are getting 405.
Thanks,
Durga Srinivasu
On Fri, Jun 23, 2017 at 4:38 AM, Mark Thomas <ma...@apache.org> wrote:
> On 22/06/17 16:46, Durga Srinivasu Karuturi wrote:
> > Hi,
> >
> > We are using tomcat 8.5.14.
> >
> > As this CVE-2017-5664
> > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664> is
> applicable
> > for current tomcat version, we are trying to evaluate whethere this CVE
> is
> > applicable to our web application or not.
> >
> >
> > We have couple of JSP error pages. Tested those all are severed as GET.
>
> No issue with the JSPs as long as they don't check the HTTP method and
> take different actions depending on what it is.
>
> > Also we have custom error Servlet handler configured and in that also, we
> > do handle it as GET only.
>
> Might be worth checking how those servlets respond to non-GET requests.
> If you have only implemented doGet() your users could see a 405 response
> rather than the error page. That should be OK from a security point of
> view.
>
> > There are no static error files configured in our web application.
>
> Good. That removes probably the biggest risk which is the default servlet.
>
> > With these can be take this CVE is not application to our web application
> > with 8.5.14 tomcat?
>
> From the information you have provided, you look to be OK but it is
> worth checking the few things I pointed out above.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Reg CVE-2017-5664
Posted by Mark Thomas <ma...@apache.org>.
On 22/06/17 16:46, Durga Srinivasu Karuturi wrote:
> Hi,
>
> We are using tomcat 8.5.14.
>
> As this CVE-2017-5664
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664> is applicable
> for current tomcat version, we are trying to evaluate whethere this CVE is
> applicable to our web application or not.
>
>
> We have couple of JSP error pages. Tested those all are severed as GET.
No issue with the JSPs as long as they don't check the HTTP method and
take different actions depending on what it is.
> Also we have custom error Servlet handler configured and in that also, we
> do handle it as GET only.
Might be worth checking how those servlets respond to non-GET requests.
If you have only implemented doGet() your users could see a 405 response
rather than the error page. That should be OK from a security point of view.
> There are no static error files configured in our web application.
Good. That removes probably the biggest risk which is the default servlet.
> With these can be take this CVE is not application to our web application
> with 8.5.14 tomcat?
From the information you have provided, you look to be OK but it is
worth checking the few things I pointed out above.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org