Mike, You have nothing to worry about. As long as readonly was never explicitly set to false, you have not been vulnerable to CVE-2017-12617 at any point.
readonly is true by default. CVE-2017-12617 only applies if readonly is false which requires explicit configuration. I'm curious what tests Tripwire is performing to determine that this vulnerability is present. I wonder if it is relying on an OPTIONS request to determine if PUT is enabled? The problem with that is that OPTIONS tells you what is supported, not what is permitted. Mark On 13/02/2019 18:35, Adams, Michael wrote: > TomCat users. > I currently am running Apache Tomcat 8.5.13.0 on Windows Server 2012 R2 > servers to support a NCR Aptra Vision application. A Tripwire vulnerability > scan showed the servers have the Apache Tomcat CVE-2017-12617 Vulnerability. > To mitigate I see I could upgrade to Apache Tomcat 8.5.23 or later. Instead > of upgrading to 8.5.23 or later, I am wanting to 'turn off' HTTP PUT > functionality. I have this simple question: Is it possible to mitigate the > vulnerability by just adding/setting the init-param readonly param value to > true for the DefaultServer in the Apache TomCat instance ../conf/web.xml > file? Or is Tomcat 8.5.23 or higher required for Apache TomCat to properly > process the DefaultServer's setting when I set the readonly parameter to > true? > > The reason I ask is this: The Tripwire test still found the Tomcat > CVE-2017-12617 Vulnerability even after I did the following on the Windoww > Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration > change to the ../conf/web.xml file shown below, and re-started Apache Tomcat. > > The following should make the context read-only and HTTP commands like PUT > and DELETE to be rejected. > <servlet> > <servlet-name>default</servlet-name> > > <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> > <init-param> > <param-name>debug</param-name> > <param-value>0</param-value> > </init-param> > <init-param> > <param-name>listings</param-name> > <param-value>false</param-value> > </init-param> > <init-param> > <param-name>readonly</param-name> > <param-value>true</param-value> > </init-param> > <load-on-startup>1</load-on-startup> > </servlet> > > Your help in the following matter would be much appreciated. > > Mike > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
