Re: CERT Vulnerability Note VU#204710 on Tomcat 3.x

Mon, 21 Mar 2005 16:41:39 -0800

This vulnerability note has to be amongst the most vague and least informative I've ever seen. It says that Tomcat 3.x and AJP12 has an issue and that the issue is not present in Tomcat 5.

What about Tomcat 4 and 4.1? What about AJP13? The report simply does not address any of these variations.

On the other hand, any production installation should block communication on the AJP 12 or AJP13 port except where it is coming from Apache. This completely addresses the vulnerability irrespective of version.

--
Jess Holle

[EMAIL PROTECTED] wrote:

Hi,

CERT released a vulnerability note on Tomcat 3.x last week. See the following url for details:

http://www.kb.cert.org/vuls/id/204710

We are running two configurations of Apache and Tomcat:
Apache v1.3.27 with Tomcat v4.1.29
Apache v1.3.27 with Tomcat v4.0.6

I'm trying to determine if these versions of Tomcat are vulnerable. Can
anyone confirm or deny?

If you like, respond to summers_ed () emc ! com

Thanks,
Ed 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to