Hi, We are trying to analyze two of the below CVEs related to tomcat sendfile feature.
CVE-2017-5647 (Production tomcat 8.0.26) CVE-2017-5651(Current tomcat 8.5.12) We are enabling compression with NIO connector. As per docs, connector level by default sendfile is enabled and sendfile takes precedence over compression. We are not setting any request attribute "org.apache.tomcat.sendfile.support" to enable this support also. With this can we assume sendfile will not be used and these two CVEs are not application for us. Or Do we need to disable connector level to completed turnoff sendfile? Please clarify. Thanks, Durga Srinivasu
