Thank you for the confirmation! Much appreciated. On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas <[email protected]> wrote:
> > Martin, > > > > On 10/1/19 10:35, Martin Cocaro wrote: > >> Apache Tomcat Users Team, > > > >> The purpose of this email is to request information regarding > >> Apache Tomcat CVE-2018-8037 > >> <https://www.securityfocus.com/bid/104894/info> possibly affecting > >> version 8.0.X (particularly 8.0.53). The CVE was made public on > >> 22-July-2018, after being privately disclosed on 16-Jun-2018. The > >> EOL date of Tomcat 8.0.X was 30-Jun-2018. > > > >> Reaching out to you to get confirmation on whether the CVE is > >> confirmed to not affect the version 8.0.X or if the CVE was not > >> tested against such version at all as its EOL date preceded the > >> public disclosure. > > > >> Your help on this matter would be greatly appreciated. > > > > That source you are reading (securityfocus) lists all of the > > vulnerable versions. If you look at the Mitre report, you'll see the > > same thing, except that they provide a *range* of versions instead of > > just the individual ones affected. > > > > No Tomcat 8.0.x versions appear in the list. > > > > I haven't personally tested Tomcat 8.0.x against any proof-of-concept > > code, but I do not believe it if/was vulnerable to this CVE. > > I've just been reading through the internal discussion for > CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was > vulnerable. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
