Mark, Thanks for your input. It was very helpful. My InfoSecurity technician who runs the Tripwire app believes Apache Tomcat vs 8.5.13 is being flagged for the CVE-2017-12617 vulnerability solely off of the version. Tripwire isn't trying to see if HTTP PUT is enabled. He is opening a false positive ticket with the Tripwire vendor to get more information on their check.
Mike -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, February 13, 2019 1:20 PM To: users@tomcat.apache.org Subject: [External] Re: Question regarding mitigating the CVE-2017-12617 vulnerability Mike, You have nothing to worry about. As long as readonly was never explicitly set to false, you have not been vulnerable to CVE-2017-12617 at any point. readonly is true by default. CVE-2017-12617 only applies if readonly is false which requires explicit configuration. I'm curious what tests Tripwire is performing to determine that this vulnerability is present. I wonder if it is relying on an OPTIONS request to determine if PUT is enabled? The problem with that is that OPTIONS tells you what is supported, not what is permitted. Mark On 13/02/2019 18:35, Adams, Michael wrote: > TomCat users. > I currently am running Apache Tomcat > https://urldefense.proofpoint.com/v2/url?u=http-3A__8.5.13.0&d=DwICaQ&c=LkAXfnqL6_MvrMPL5JzdE3Ild0DUTpmjbCJvMv5_TcQ&r=p3_goTYT-PvEzXC6jGr9rg&m=EyqQRJjlE-MS2UtSwB36b0JrzdT5stm5F4mjaEAE7Mw&s=_4_hoZTjRXAb-gUL3WJvsPiWcIqUBuEFWbO2Kr_y3S8&e= > on Windows Server 2012 R2 servers to support a NCR Aptra Vision application. > A Tripwire vulnerability scan showed the servers have the Apache Tomcat > CVE-2017-12617 Vulnerability. To mitigate I see I could upgrade to Apache > Tomcat 8.5.23 or later. Instead of upgrading to 8.5.23 or later, I am > wanting to 'turn off' HTTP PUT functionality. I have this simple question: > Is it possible to mitigate the vulnerability by just adding/setting the > init-param readonly param value to true for the DefaultServer in the Apache > TomCat instance ../conf/web.xml file? Or is Tomcat 8.5.23 or higher required > for Apache TomCat to properly process the DefaultServer's setting when I set > the readonly parameter to true? > > The reason I ask is this: The Tripwire test still found the Tomcat > CVE-2017-12617 Vulnerability even after I did the following on the Windoww > Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration > change to the ../conf/web.xml file shown below, and re-started Apache Tomcat. > > The following should make the context read-only and HTTP commands like PUT > and DELETE to be rejected. > <servlet> > <servlet-name>default</servlet-name> > > <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> > <init-param> > <param-name>debug</param-name> > <param-value>0</param-value> > </init-param> > <init-param> > <param-name>listings</param-name> > <param-value>false</param-value> > </init-param> > <init-param> > <param-name>readonly</param-name> > <param-value>true</param-value> > </init-param> > <load-on-startup>1</load-on-startup> > </servlet> > > Your help in the following matter would be much appreciated. > > Mike > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
