Thanks mark. Checked Error Servlet, handled doGet() and doPost() only. doPost() internally calling doGet(). Yes for PUT/DELTE we are getting 405.
Thanks, Durga Srinivasu On Fri, Jun 23, 2017 at 4:38 AM, Mark Thomas <ma...@apache.org> wrote: > On 22/06/17 16:46, Durga Srinivasu Karuturi wrote: > > Hi, > > > > We are using tomcat 8.5.14. > > > > As this CVE-2017-5664 > > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664> is > applicable > > for current tomcat version, we are trying to evaluate whethere this CVE > is > > applicable to our web application or not. > > > > > > We have couple of JSP error pages. Tested those all are severed as GET. > > No issue with the JSPs as long as they don't check the HTTP method and > take different actions depending on what it is. > > > Also we have custom error Servlet handler configured and in that also, we > > do handle it as GET only. > > Might be worth checking how those servlets respond to non-GET requests. > If you have only implemented doGet() your users could see a 405 response > rather than the error page. That should be OK from a security point of > view. > > > There are no static error files configured in our web application. > > Good. That removes probably the biggest risk which is the default servlet. > > > With these can be take this CVE is not application to our web application > > with 8.5.14 tomcat? > > From the information you have provided, you look to be OK but it is > worth checking the few things I pointed out above. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >