On 01/08/2019 20:07, Justiniano, Tony wrote: > And that is what I was thinking, inadvertently, our scanning tool just found > the apache version during a scan and corresponded it (the apache version) > with a CVE. > > Do you concur?
Sounds likely. Most low quality scanning tools only look at the version number. Mark > > Tony Justiniano > Engineer I, EUS Engineering > > Wyndham Destinations > 6277 Sea Harbor Drive > Orlando, FL 32821 > Office: +1-407-626-5416 > Mobile: +1-407-463-4297 > tony.justini...@wyn.com > > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Thursday, August 1, 2019 3:05 PM > To: users@tomcat.apache.org > Subject: Re: FW: Apache Vulnerability - Understanding Connector Protocols > > This e-mail is from an external source. Use caution when opening attachments > or clicking on links. > > On 01/08/2019 19:49, Justiniano, Tony wrote: >> Forwarding from an initial email this morning. >> >> _______________________________________________________ >> >> Good Morning, >> >> I have been referred to this team in an attempt to have some questions >> answered. Before I ask those question let me provide a little background on >> how I got to this point. >> >> Vulnerability scans showed that two of my servers in the DMZ came back with >> CVE-2019-10072 vulnerability. The CVE information is below: >> >> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 >> connection window exhaustion on write in Apache Tomcat versions >> 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE >> messages for the connection window (stream 0) clients were able to >> cause server-side threads to block eventually leading to thread >> exhaustion and a DoS. >> (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201 >> 9-10072>) >> >> The question I have is based on the server.xml configuring the connector and >> protocols used. Below are both of my servers server.xml connector entries: >> Server6: <Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> >> Server5: <Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> >> What I have highlighted are the protocols that are used for those specific >> connectors on the servers. >> >> So, my question is in your professional opinions, if I'm not calling the >> http2 protocol in any connector, my servers shouldn't be susceptible to the >> particular CVE's vulnerability assessment. >> >> Please let me know if this question can be answered. > > If you don't have > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > > nested in a Connector anywhere in your server.xml that you can't possibly be > vulnerable to HTTP/2 related vulnerabilities. > > Looks like it is time to start shopping for a new vulnerability scanner. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > This email message (including all attachments) is for the sole use of the > intended recipient(s) and may contain confidential and/or privileged > information, or may otherwise be protected by work product or other legal > rules. If you are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. Unless otherwise > indicated in the body of this email, nothing in this communication is > intended to operate as an electronic signature and this transmission cannot > be used to form, document, or authenticate a contract. Wyndham Destinations, > Inc., and/or its affiliates may monitor all incoming and outgoing email > communications, including the content of emails and attachments, for > security, legal compliance, training, quality assurance and other purposes. > The sender believes that this email and any attachments were free of any > virus, worm, Trojan horse, malicious code and/or other contaminants when > sent. Email transmissions cannot be guaranteed to be secure or error-free, so > this message and its attachments could have been infected, corrupted or made > incomplete during transmission. By reading the message and opening any > attachments, the recipient accepts full responsibility for any viruses or > other defects that may arise, and for taking remedial action relating to such > viruses and other defects. Neither Wyndham Destinations, Inc., nor any of its > affiliated entities is liable for any loss or damage arising in any way from, > or for errors or omissions in the contents of, this message or its > attachments. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org