You are saying a malicious actor would need to be on the server itself to load an application?
________________________________ From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 7:55 AM To: Tomcat Users List Subject: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: > Seeking guidance on mitigation of > CVE-2014-7810<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810> on > Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the > moment, and we need to secure our install via other means until the patch can > be applied. If there are any workaround that can be provided it would be much > appreciated. Thank you. > Hi. Maybe the first thing to ask yourself, is if you are in a situation where you are really vulnerable to this vulnerability. I am not an expert, but from the description, it sounds like this vulnerability could only be exploited by someone who has the possibility to load a malicious web application into the Tomcat system, and have it be run. Is that your case ? See http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
