Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x

Wed, 23 Mar 2005 14:34:04 -0800 

I had not even thought of that.

So yet another issue with the original report....

Larry Isaacs wrote:

Thanks Jess for replying to this.

If I recall correctly the vulnerability was in the handling for
a request for status via the AJP12 connector which continues
to be used as the default shutdown mechanism.  The report
mentions a new DOS attack, but fails to note that if a remote
attacker has access to this port, the attacker can shutdown
Tomcat as well.  Since the need to restrict access to the
server's shutdown port is nothing new, no changes were made
to address the report.

Cheers,
Larry


-----Original Message-----
From: Jess Holle [mailto:[EMAIL PROTECTED] Sent: Monday, March 21, 2005 7:42 PM
To: Tomcat Users List
Subject: Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x

This vulnerability note has to be amongst the most vague and least informative I've ever seen. It says that Tomcat 3.x and AJP12 has an issue and that the issue is not present in Tomcat 5.

What about Tomcat 4 and 4.1? What about AJP13? The report simply does not address any of these variations.

On the other hand, any production installation should block communication on the AJP 12 or AJP13 port except where it is coming from Apache. This completely addresses the vulnerability irrespective of version.

--
Jess Holle

[EMAIL PROTECTED] wrote:



Hi,

CERT released a vulnerability note on Tomcat 3.x last week. See the following url for details:

http://www.kb.cert.org/vuls/id/204710

We are running two configurations of Apache and Tomcat:
Apache v1.3.27 with Tomcat v4.1.29
Apache v1.3.27 with Tomcat v4.0.6

I'm trying to determine if these versions of Tomcat are

vulnerable. Can


anyone confirm or deny?

If you like, respond to summers_ed () emc ! com

Thanks,
Ed 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to