Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote: Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote: Thank you. I am fairly unfamiliar with Apache as a whole. Simply trying to address our possible attack surfaces. I appreciate your assistance. Welcome. By the way, I found the reference to the article below by entering this on Google : CVE-2014-7810 and Tomcat So if you have any more similar issues.. The references at the bottom of that article may also be of help : [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html (or not, as the case may be. But it is always better to be informed, isn't it ?) From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 8:32 AM To: Tomcat Users List Subject: Re: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: You are saying a malicious actor would need to be on the server itself to load an application? Basically yes, or be allowed to load and deploy applications via the Manager application (which is either not installed, or anyway secured by default) It is fairly clear in the mail archive article I quoted below, which is signed by one of the core Tomcat developers. From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 7:55 AM To: Tomcat Users List Subject: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: CVE-2014-7810 Mitigation
You are saying a malicious actor would need to be on the server itself to load an application? From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 7:55 AM To: Tomcat Users List Subject: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: CVE-2014-7810 Mitigation
Thank you. I am fairly unfamiliar with Apache as a whole. Simply trying to address our possible attack surfaces. I appreciate your assistance. From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 8:32 AM To: Tomcat Users List Subject: Re: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: You are saying a malicious actor would need to be on the server itself to load an application? Basically yes, or be allowed to load and deploy applications via the Manager application (which is either not installed, or anyway secured by default) It is fairly clear in the mail archive article I quoted below, which is signed by one of the core Tomcat developers. From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 7:55 AM To: Tomcat Users List Subject: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote: You are saying a malicious actor would need to be on the server itself to load an application? Basically yes, or be allowed to load and deploy applications via the Manager application (which is either not installed, or anyway secured by default) It is fairly clear in the mail archive article I quoted below, which is signed by one of the core Tomcat developers. From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 7:55 AM To: Tomcat Users List Subject: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE-2014-7810 Mitigation
Seeking guidance on mitigation of CVE-2014-7810http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810 on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment, and we need to secure our install via other means until the patch can be applied. If there are any workaround that can be provided it would be much appreciated. Thank you. Chuck Lynch
Re: [External] Re: CVE-2014-7810 Mitigation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/25/15 8:32 AM, André Warnier wrote: Lynch, Charles [USA] wrote: You are saying a malicious actor would need to be on the server itself to load an application? Basically yes, or be allowed to load and deploy applications via the Manager application (which is either not installed, or anyway secured by default). Correct: this CVE indicates that Tomcat is vulnerable to a malicious web application, not to a remote user. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVjA4hAAoJEBzwKT+lPKRYyAMP/2IxiSl7O29dCh7kxmTxlGCc rPBxz+gOFhjunR9DgZsxX+KKL1NeTl/L08lZ4qAXj4+lqZJ49Mmmr55A+QSeIJYa L/fGOKC7W5kFsqxLJ+wXWLMEUsA7eLgWDPxysrqQGDkyw6z9C08s7qoIDtakp53e jpeAFPElemuylrtAS4tzzlpuYPUX+OmaMO5yT9KIFoQJFuiEn3y/sDR2FjX8BEdr k2SwtJ97Zs/Tq889QuLxzHrSZCZMwpeFu3NYYJjCZWAyc6hvX5PKBrTfdKIIe4Ox l7VNJun14aZ5soIob7XreIJKm9RJR5GhHvzY6g+lGXbT/6pWEBZAf3uRxsZaF186 K1Ybtx4BMVZEZB9ZtpY01pfKUaTW3CrmunUWcZ1QuW8OgXfewzdDBmdlEf+VmwLW JdwXQfHike+TT4PL+VKcOKQ9tjwkhylQ/OH0hztOVFxDdhjjDZ3dsWkbClrTVw/k ajhzyrimEbweAFAvmByb2Q08Xlp7AR7hiAruRFAKUmi5/zaCjVRB44Gke4CxjD5g tx0NANroy3fpqGxAJedJ9tWHq7GyuudHJtrqFtufB6h/JNAt1kdFC+ZkPf7TDy/b VgsXAj/7wYCRpcG+56whKE+VZSplBzTwTMwHfuAtlhTqGKHSw46I8wgWFlcoS3QB Ho0Eg/eDBqW9R6dD8AN5 =vEEP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org