Re: CVE-2019-0232 & CVE-2020-1938

Mon, 15 Jul 2024 13:36:34 -0700 

Aiden,

On 7/15/24 13:24, Jurevich, Aidan wrote:

My organization has a few devices that have the file
tomcat-juli-8.5.57.jar installed on them via the program Altair and
are showing up as vulnerable to CVE-2019-0232 and CVE-2020-1938,
which according to your documentation seems to be fixed for this
version of the file.
If you are not enabling the CGI servlet (which is disabled by default), then you are not vulnerable to CVE-2019-0232. 


If you are not using AJP to proxy traffic between a reverse proxy (e.g. 
IIS, Apache httpd, nginx, etc.) and Tomcat, then you are not vulnerable 
to CVE-2020-1938.



I'm interested to know why Altair is installing that specific version of 
that file into your environment, and, honestly, why ANY version of that 
file into your environment. If Tomcat is not being used, then 
tomcat-juli-x.y.z.jar should be completely useless. If Tomcat *is* being 
used, then /all of Tomcat should be upgraded/ beyond 8.5.57 as there are 
known published security vulnerabilities that have been fixed in later 
versions.



The JULI package seems to have been removed in Tomcat 8.5.4[1][2] and 
I'm curious as to why that file has that particular version number.



This seems to be an issue with Microsoft Defender being unable to
read the version of the file. I was just making sure for our records
that this issue has been solved as well as checking to see if you had
any recommendations about how we can get this file to stop popping up
as vulnerable.

I would be curious to find out why this file is there *at all*. It seems 
to have no business being anywhere.



But if it really is some kind of misnamed Tomcat logging library from 
the distant past, it cannot make you vulnerable to either CVE referenced 
above.


Hope that helps,
-chris

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58588

[2] 
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.4_(markt)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to