Hi Abishek, > -----Ursprüngliche Nachricht----- > Von: Kumar, Abhishek (IT Information Services ) > [mailto:abhishek.kum...@originenergy.com.au] > Gesendet: Dienstag, 10. Januar 2017 12:17 > An: users@tomcat.apache.org > Betreff: Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token > > > Hi, > > The Apache Tomcat web server running on the Load balancer is affected by an > information disclosure vulnerability in the index page of the Manager and > Host Manager applications. An unauthenticated attacker can exploit this > vulnerability to obtain a valid cross-site request forgery (CSRF) token > during the redirect issued when requesting /manager/ or /host-manager/. This > token can be utilized by an attacker to construct a CSRF attack. > > This is a Vulnerability issue with Tomcat 8.0.15. > > We have this version of Tomcat installed in our Servers. > > As suggested by Tomcat, this has been addressed and fixed after 8.0.32 > versions. > > Restrict access to the /manager URL from unauthorised IP addresses by > implementing access control lists that only permit authorised management > stations or subnets. For more information, see: > > https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e= > > > But, We do not want to upgrade the Tomcat right now. > > Is there a way to implement this fix in our current Tomcat Version. > > > Kind Regards, > Abhishek Kumar > > Note: This email, including any attachments, is confidential. If you have > received this email in error, please advise the sender and delete it and all > copies of it from your system. If you are not the intended recipient of this > email, you must not use, print, distribute, copy or disclose its content to > anyone > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
from a security standpoint there is no way around updating. Specifically the CSRF attack is executed from the client, so whoever is at one of the authorized management stations will be executing the CSRF requests. Aside from this one vulnerability all versions up to the current 8.0.40 fix a whole load of flaws. So whenever you restrict access to the management console (via RemoteAddrValve), all other vulnerabilities that are more than Info disclosures will still persist. Best regards Peter Peter Kreuser AirPlus International Security Officer - Application Development --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
