What about Tomcat 4 and 4.1? What about AJP13? The report simply does not address any of these variations.
On the other hand, any production installation should block communication on the AJP 12 or AJP13 port except where it is coming from Apache. This completely addresses the vulnerability irrespective of version.
-- Jess Holle
[EMAIL PROTECTED] wrote:
Hi,
CERT released a vulnerability note on Tomcat 3.x last week. See the following url for details:
http://www.kb.cert.org/vuls/id/204710
We are running two configurations of Apache and Tomcat: Apache v1.3.27 with Tomcat v4.1.29 Apache v1.3.27 with Tomcat v4.0.6
I'm trying to determine if these versions of Tomcat are vulnerable. Can anyone confirm or deny?
If you like, respond to summers_ed () emc ! com
Thanks,
Ed
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]