TomCat users. I currently am running Apache Tomcat 8.5.13.0 on Windows Server 2012 R2 servers to support a NCR Aptra Vision application. A Tripwire vulnerability scan showed the servers have the Apache Tomcat CVE-2017-12617 Vulnerability. To mitigate I see I could upgrade to Apache Tomcat 8.5.23 or later. Instead of upgrading to 8.5.23 or later, I am wanting to 'turn off' HTTP PUT functionality. I have this simple question: Is it possible to mitigate the vulnerability by just adding/setting the init-param readonly param value to true for the DefaultServer in the Apache TomCat instance ../conf/web.xml file? Or is Tomcat 8.5.23 or higher required for Apache TomCat to properly process the DefaultServer's setting when I set the readonly parameter to true?
The reason I ask is this: The Tripwire test still found the Tomcat CVE-2017-12617 Vulnerability even after I did the following on the Windoww Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration change to the ../conf/web.xml file shown below, and re-started Apache Tomcat. The following should make the context read-only and HTTP commands like PUT and DELETE to be rejected. <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>readonly</param-name> <param-value>true</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> Your help in the following matter would be much appreciated. Mike --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org