You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Harish Krishnan <ha...@gmail.com> on 2018/03/14 01:04:13 UTC
Questions on recent CVE fixes
Hi All,
Thanks for all the help and work you great people do.
My question is regarding CVE-2018-1305
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and
CVE-2018-1304 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304>
that
were fixed in the latest builds.
We use Tomcat 7.x.
a) When can we expect the CVE scores determined for these vulnerabilities.
On NVD, it still says awaiting analysis.
This information would help us determine the SLA on when we can update
tomcat builds.
b) Regarding 1st CVE (#1305), we do not use annotation based security
constraints. Instead we configure it in our web.xml.
With this understanding, is it safe to consider we are not vulnerable?
c) Regarding 2nd CVE (#1304), the url pattern in all our security
constraints is of the format "/*".
* i believe would include everything.
To confirm with you, does this include the empty ("") string to make our
usage vulnerable too?
regards
Harish Krishnan
Re: Questions on recent CVE fixes
Posted by Harish Krishnan <ha...@gmail.com>.
Thanks for the response and confirmation, Mark.
On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas <ma...@apache.org> wrote:
> On 14/03/2018 01:04, Harish Krishnan wrote:
>
>> Hi All,
>>
>> Thanks for all the help and work you great people do.
>>
>> My question is regarding CVE-2018-1305
>> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and
>> CVE-2018-1304 <http://cve.mitre.org/cgi-bin/
>> cvename.cgi?name=CVE-2018-1304>
>> that
>> were fixed in the latest builds.
>> We use Tomcat 7.x.
>>
>> a) When can we expect the CVE scores determined for these vulnerabilities.
>> On NVD, it still says awaiting analysis.
>> This information would help us determine the SLA on when we can update
>> tomcat builds.
>>
>
> The Tomcat community does not provide CVSS scores. There are multiple
> reasons for this including:
> - they are too subjective;
> - the true score depends on how Tomcat is being used and that can only
> be determined by the user and can vary wildly from user to user for
> any one vulnerability.
>
> The correct thing to do is exactly what you are doing. Review the
> vulnerabilities, figure out of they impact you or not and, if they do
> impact you, figure out the extent of that impact, what you need to to to
> mitigate that impact and how quickly you need to do it.
>
> b) Regarding 1st CVE (#1305), we do not use annotation based security
>> constraints. Instead we configure it in our web.xml.
>> With this understanding, is it safe to consider we are not vulnerable?
>>
>
> Correct. You are not vulnerable because you do not define security
> constraints via annotations.
>
> c) Regarding 2nd CVE (#1304), the url pattern in all our security
>> constraints is of the format "/*".
>> * i believe would include everything.
>> To confirm with you, does this include the empty ("") string to make our
>> usage vulnerable too?
>>
>
> No. You are not vulnerable. The vulnerability only applies if the url
> pattern of the empty string is used to define a security constraint.
>
> Kind regards,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Questions on recent CVE fixes
Posted by Mark Thomas <ma...@apache.org>.
On 14/03/2018 01:04, Harish Krishnan wrote:
> Hi All,
>
> Thanks for all the help and work you great people do.
>
> My question is regarding CVE-2018-1305
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and
> CVE-2018-1304 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304>
> that
> were fixed in the latest builds.
> We use Tomcat 7.x.
>
> a) When can we expect the CVE scores determined for these vulnerabilities.
> On NVD, it still says awaiting analysis.
> This information would help us determine the SLA on when we can update
> tomcat builds.
The Tomcat community does not provide CVSS scores. There are multiple
reasons for this including:
- they are too subjective;
- the true score depends on how Tomcat is being used and that can only
be determined by the user and can vary wildly from user to user for
any one vulnerability.
The correct thing to do is exactly what you are doing. Review the
vulnerabilities, figure out of they impact you or not and, if they do
impact you, figure out the extent of that impact, what you need to to to
mitigate that impact and how quickly you need to do it.
> b) Regarding 1st CVE (#1305), we do not use annotation based security
> constraints. Instead we configure it in our web.xml.
> With this understanding, is it safe to consider we are not vulnerable?
Correct. You are not vulnerable because you do not define security
constraints via annotations.
> c) Regarding 2nd CVE (#1304), the url pattern in all our security
> constraints is of the format "/*".
> * i believe would include everything.
> To confirm with you, does this include the empty ("") string to make our
> usage vulnerable too?
No. You are not vulnerable. The vulnerability only applies if the url
pattern of the empty string is used to define a security constraint.
Kind regards,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org