TomCat users.
I currently am running Apache Tomcat 8.5.13.0 on Windows Server 2012 R2 servers 
to support a NCR Aptra Vision application.  A Tripwire vulnerability scan 
showed the servers have the Apache Tomcat CVE-2017-12617 Vulnerability.  To 
mitigate I see I could upgrade to Apache Tomcat 8.5.23 or later.   Instead of 
upgrading to 8.5.23 or later, I am wanting to 'turn off' HTTP PUT 
functionality.  I have this simple question: Is it possible to mitigate the 
vulnerability by just adding/setting the init-param readonly param value to 
true for the DefaultServer in the Apache TomCat instance  ../conf/web.xml file? 
Or is Tomcat 8.5.23 or higher required for Apache TomCat to properly process 
the DefaultServer's setting when I set the readonly parameter to true? 

The reason I ask is this: The Tripwire test still found the Tomcat 
CVE-2017-12617 Vulnerability even after I did the following on the Windoww 
Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration 
change to the ../conf/web.xml file shown below, and re-started Apache Tomcat.

The following should make the context read-only and HTTP commands like PUT and 
DELETE to be rejected.
    <servlet>
        <servlet-name>default</servlet-name>
        
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>readonly</param-name>
            <param-value>true</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Your help in the following matter would be much appreciated.   

Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to