[ https://issues.apache.org/jira/browse/GERONIMO-3549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jay D. McHugh resolved GERONIMO-3549. ------------------------------------- Resolution: Fixed Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue. > Potential vulnerability in Apache Tomcat Webdav servlet > ------------------------------------------------------- > > Key: GERONIMO-3549 > URL: https://issues.apache.org/jira/browse/GERONIMO-3549 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: Tomcat > Affects Versions: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.0.x, 2.1 > Reporter: Donald Woods > Assignee: Jay D. McHugh > Fix For: 2.0.x, 2.1 > > > Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav > servlet > Date: Thu, 18 Oct 2007 13:40:24 -0400 > From: Kevan Miller <[EMAIL PROTECTED]> > Reply-To: dev@geronimo.apache.org > To: Geronimo Dev <dev@geronimo.apache.org> > The Geronimo project has learned of a security vulnerability in the > Apache Tomcat Webdav Servlet implementation. If you use a Tomcat > configuration of Geronimo and configure a write-enabled Webdav servlet, > you may be affected by this vulnerability. If you do not configure the > Webdav servlet or configure read-only Webdav servlets, you are not > impacted by this vulnerability. Jetty configurations of Geronimo are not > affected by this vulnerability. > This vulnerability impacts all Geronimo releases. Up to and including > Geronimo 2.0.2. > For specific information regarding the Tomcat issue, see > http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/[EMAIL > PROTECTED] > By default, Geronimo releases do not use the Webdav servlet. However, it > is possible for the Webdav Servlet to be configured or referenced by a > user-written application. > The Webdav Servlet could be explicitly configured in a web.xml > <http://web.xml/> deployment descriptor as follows: > ... > <servlet> > <servlet-name>webdav</servlet-name> > > <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class> > <init-param> > <param-name>readonly</param-name> > <param-value>false</param-value> > </init-param> > </servlet> > Alternatively, a user's application could extend the WebdavServlet, for > example: > import org.apache.catalina.servlets.WebdavServlet; > public class MyServlet extends WebdavServlet { > ... > > If you configure a write-enabled Webdav servlet, we recommend that you: > - Disable write access to the Webdav Servlet until this problem has > been fixed, or > - Limit access to the Webdav servlet to only trusted users. > This vulnerability will be fixed in the next release of Geronimo (2.0.3 > and/or 2.1). > --kevan -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.