On 22/06/2022 10:18, Stephane Passignat wrote:
Hello,
I'm trying to understand this CVE and EncryptInterceptor.
So far my understanding is EncryptInterceptor is used in clustered
environment. Am I right ?
Reading the content of the commit and release content, that's only look
like a documentation issue. Are there really any DDOS weakness ?
Yes, there is a DoS issue. If you use the EncryptInterceptor on an
untrusted network then it is possible for an attacker to mount a DoS
attack on the Tomcat instances in the network.
The documentation change was to make clear that it wasn't safe to do this.
If we implement message size limits for cluster messages then an
appropriate message limit along with the EncryptInterceptor should be
safe (but I can't be certain as we haven't implemented and tested it).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org