Lynch, Charles [USA] wrote:
You are saying a malicious actor would need to be on the server itself to load
an application?
Basically yes, or be allowed to load and deploy applications via the Manager application
(which is either not installed, or anyway secured by default)
It is fairly clear in the mail archive article I quoted below, which is signed by one of
the core Tomcat developers.
________________________________
From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 7:55 AM
To: Tomcat Users List
Subject: [External] Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote:
Seeking guidance on mitigation of
CVE-2014-7810<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810> on
Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment,
and we need to secure our install via other means until the patch can be applied. If
there are any workaround that can be provided it would be much appreciated. Thank you.
Hi.
Maybe the first thing to ask yourself, is if you are in a situation where you
are really
vulnerable to this vulnerability.
I am not an expert, but from the description, it sounds like this vulnerability
could only
be exploited by someone who has the possibility to load a malicious web
application into
the Tomcat system, and have it be run.
Is that your case ?
See
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
