Thank you Mark! For the quick reply! Yeah...Apache reports it as LOW and they report as MEDIUM. We have to mitigate all MEDIUM and HIGH vulnerabilities.
Best regards, Rick On Wed, Jun 20, 2018 at 1:00 PM, Mark Thomas <ma...@apache.org> wrote: > On 20/06/18 18:16, Bradley, Richard wrote: > > Hello, > > > > Tomcat version: 8.5.31 > > O/S: Windows Server 2008 R2 > > > > McAfee vulnerability checker has reported a MEDIUM level vulnerability as > > follows: > > > > Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32 > > [FID 23621] > > > > Apache Software Foundation reports this in annou...@tomcat.apache.org > > <https://lists.apache.org/list.html?annou...@tomcat.apache.org>: > > > > CVE-2018-8014 Insecure defaults for CORS filter > > > > and the only mitigation is to "Configure the filter appropriately for > your > > environment" > > > > My question is: > > > > What if you don't have a CORS filter configured anywhere in the Tomcat > and > > web apps associated web.xml files? > > You have nothing to worry about. > > Well, apart from the poor quality of your vulnerability scanner that > looks like it is reporting a CORS issue without checking to see if CORS > headers are being sent. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- Richard M. Bradley (Rick) *Geospatial Engineer* BLM NOC EGIS Sanborn Map Company, Inc. Phone number: (303) 236-4538 rmbrad...@blm.gov "Decide that you want it more than you're afraid of it. Your greatest dreams are all on the other side of the wall of fear and caution." - Unknown This e-mail, including any attachments, contains information intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and/or confidential or is otherwise protected by law. If you are not the intended recipient or agent or an employee responsible for delivering the communication to the intended recipient, you are hereby notified that any review, use, disclosure, copying and/or distribution of its contents is prohibited. If you have received this e-mail in error, please notify us immediately by reply to sender only and destroy the original.