TomCat users.
I currently am running Apache Tomcat 8.5.13.0 on Windows Server 2012 R2 servers
to support a NCR Aptra Vision application. A Tripwire vulnerability scan
showed the servers have the Apache Tomcat CVE-2017-12617 Vulnerability. To
mitigate I see I could upgrade to Apache Tomcat 8.5.23 or later. Instead of
upgrading to 8.5.23 or later, I am wanting to 'turn off' HTTP PUT
functionality. I have this simple question: Is it possible to mitigate the
vulnerability by just adding/setting the init-param readonly param value to
true for the DefaultServer in the Apache TomCat instance ../conf/web.xml file?
Or is Tomcat 8.5.23 or higher required for Apache TomCat to properly process
the DefaultServer's setting when I set the readonly parameter to true?
The reason I ask is this: The Tripwire test still found the Tomcat
CVE-2017-12617 Vulnerability even after I did the following on the Windoww
Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration
change to the ../conf/web.xml file shown below, and re-started Apache Tomcat.
The following should make the context read-only and HTTP commands like PUT and
DELETE to be rejected.
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Your help in the following matter would be much appreciated.
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
