Hello, Tomcat version: 8.5.31 O/S: Windows Server 2008 R2
McAfee vulnerability checker has reported a MEDIUM level vulnerability as follows: Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32 [FID 23621] Apache Software Foundation reports this in annou...@tomcat.apache.org <https://lists.apache.org/list.html?annou...@tomcat.apache.org>: CVE-2018-8014 Insecure defaults for CORS filter and the only mitigation is to "Configure the filter appropriately for your environment" My question is: What if you don't have a CORS filter configured anywhere in the Tomcat and web apps associated web.xml files? It seems that if you explicitly configure a minimum filter specified in the documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter) then you have to be concerned about the cors.support.credentials allowing the default of "true". Thanks, Rick -- Richard M. Bradley (Rick) *Geospatial Engineer* BLM NOC EGIS Sanborn Map Company, Inc. Phone number: (303) 236-4538 rmbrad...@blm.gov "Decide that you want it more than you're afraid of it. Your greatest dreams are all on the other side of the wall of fear and caution." - Unknown This e-mail, including any attachments, contains information intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and/or confidential or is otherwise protected by law. If you are not the intended recipient or agent or an employee responsible for delivering the communication to the intended recipient, you are hereby notified that any review, use, disclosure, copying and/or distribution of its contents is prohibited. If you have received this e-mail in error, please notify us immediately by reply to sender only and destroy the original.
