Thanks for the response and confirmation, Mark. On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas <ma...@apache.org> wrote:
> On 14/03/2018 01:04, Harish Krishnan wrote: > >> Hi All, >> >> Thanks for all the help and work you great people do. >> >> My question is regarding CVE-2018-1305 >> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and >> CVE-2018-1304 <http://cve.mitre.org/cgi-bin/ >> cvename.cgi?name=CVE-2018-1304> >> that >> were fixed in the latest builds. >> We use Tomcat 7.x. >> >> a) When can we expect the CVE scores determined for these vulnerabilities. >> On NVD, it still says awaiting analysis. >> This information would help us determine the SLA on when we can update >> tomcat builds. >> > > The Tomcat community does not provide CVSS scores. There are multiple > reasons for this including: > - they are too subjective; > - the true score depends on how Tomcat is being used and that can only > be determined by the user and can vary wildly from user to user for > any one vulnerability. > > The correct thing to do is exactly what you are doing. Review the > vulnerabilities, figure out of they impact you or not and, if they do > impact you, figure out the extent of that impact, what you need to to to > mitigate that impact and how quickly you need to do it. > > b) Regarding 1st CVE (#1305), we do not use annotation based security >> constraints. Instead we configure it in our web.xml. >> With this understanding, is it safe to consider we are not vulnerable? >> > > Correct. You are not vulnerable because you do not define security > constraints via annotations. > > c) Regarding 2nd CVE (#1304), the url pattern in all our security >> constraints is of the format "/*". >> * i believe would include everything. >> To confirm with you, does this include the empty ("") string to make our >> usage vulnerable too? >> > > No. You are not vulnerable. The vulnerability only applies if the url > pattern of the empty string is used to define a security constraint. > > Kind regards, > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
