Mark,
Thanks for your input.   It was very helpful.  My InfoSecurity technician who 
runs the Tripwire app believes Apache Tomcat vs 8.5.13 is being flagged for the 
CVE-2017-12617 vulnerability solely off of the version.   Tripwire isn't trying 
to see if HTTP PUT is enabled.  He is opening a false positive ticket with the 
Tripwire vendor to get more information on their check.

Mike

-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Wednesday, February 13, 2019 1:20 PM
To: users@tomcat.apache.org
Subject: [External] Re: Question regarding mitigating the CVE-2017-12617 
vulnerability

Mike,

You have nothing to worry about. As long as readonly was never
explicitly set to false, you have not been vulnerable to CVE-2017-12617
at any point.

readonly is true by default. CVE-2017-12617 only applies if readonly is
false which requires explicit configuration.

I'm curious what tests Tripwire is performing to determine that this
vulnerability is present. I wonder if it is relying on an OPTIONS
request to determine if PUT is enabled? The problem with that is that
OPTIONS tells you what is supported, not what is permitted.

Mark


On 13/02/2019 18:35, Adams, Michael wrote:
> TomCat users.
> I currently am running Apache Tomcat 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__8.5.13.0&d=DwICaQ&c=LkAXfnqL6_MvrMPL5JzdE3Ild0DUTpmjbCJvMv5_TcQ&r=p3_goTYT-PvEzXC6jGr9rg&m=EyqQRJjlE-MS2UtSwB36b0JrzdT5stm5F4mjaEAE7Mw&s=_4_hoZTjRXAb-gUL3WJvsPiWcIqUBuEFWbO2Kr_y3S8&e=
>  on Windows Server 2012 R2 servers to support a NCR Aptra Vision application. 
>  A Tripwire vulnerability scan showed the servers have the Apache Tomcat 
> CVE-2017-12617 Vulnerability.  To mitigate I see I could upgrade to Apache 
> Tomcat 8.5.23 or later.   Instead of upgrading to 8.5.23 or later, I am 
> wanting to 'turn off' HTTP PUT functionality.  I have this simple question: 
> Is it possible to mitigate the vulnerability by just adding/setting the 
> init-param readonly param value to true for the DefaultServer in the Apache 
> TomCat instance  ../conf/web.xml file? Or is Tomcat 8.5.23 or higher required 
> for Apache TomCat to properly process the DefaultServer's setting when I set 
> the readonly parameter to true? 
> 
> The reason I ask is this: The Tripwire test still found the Tomcat 
> CVE-2017-12617 Vulnerability even after I did the following on the Windoww 
> Server 2012 R2 servers: Stopped Apache Tomcat intance, made the configuration 
> change to the ../conf/web.xml file shown below, and re-started Apache Tomcat.
> 
> The following should make the context read-only and HTTP commands like PUT 
> and DELETE to be rejected.
>     <servlet>
>         <servlet-name>default</servlet-name>
>         
> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
>         <init-param>
>             <param-name>debug</param-name>
>             <param-value>0</param-value>
>         </init-param>
>         <init-param>
>             <param-name>listings</param-name>
>             <param-value>false</param-value>
>         </init-param>
>         <init-param>
>             <param-name>readonly</param-name>
>             <param-value>true</param-value>
>         </init-param>
>         <load-on-startup>1</load-on-startup>
>     </servlet>
> 
> Your help in the following matter would be much appreciated.   
> 
> Mike
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to