Thank you. I am fairly unfamiliar with Apache as a whole. Simply trying to address our possible attack surfaces. I appreciate your assistance.
________________________________ From: André Warnier [a...@ice-sa.com] Sent: Thursday, June 25, 2015 8:32 AM To: Tomcat Users List Subject: Re: [External] Re: CVE-2014-7810 Mitigation Lynch, Charles [USA] wrote: > You are saying a malicious actor would need to be on the server itself to > load an application? > Basically yes, or be allowed to load and deploy applications via the Manager application (which is either not installed, or anyway secured by default) It is fairly clear in the mail archive article I quoted below, which is signed by one of the core Tomcat developers. > ________________________________ > From: André Warnier [a...@ice-sa.com] > Sent: Thursday, June 25, 2015 7:55 AM > To: Tomcat Users List > Subject: [External] Re: CVE-2014-7810 Mitigation > > Lynch, Charles [USA] wrote: >> Seeking guidance on mitigation of >> CVE-2014-7810<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810> >> on Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at >> the moment, and we need to secure our install via other means until the >> patch can be applied. If there are any workaround that can be provided it >> would be much appreciated. Thank you. >> > Hi. > Maybe the first thing to ask yourself, is if you are in a situation where you > are really > vulnerable to this vulnerability. > I am not an expert, but from the description, it sounds like this > vulnerability could only > be exploited by someone who has the possibility to load a malicious web > application into > the Tomcat system, and have it be run. > Is that your case ? > See > http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
