On 22/06/17 16:46, Durga Srinivasu Karuturi wrote: > Hi, > > We are using tomcat 8.5.14. > > As this CVE-2017-5664 > <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664> is applicable > for current tomcat version, we are trying to evaluate whethere this CVE is > applicable to our web application or not. > > > We have couple of JSP error pages. Tested those all are severed as GET.
No issue with the JSPs as long as they don't check the HTTP method and take different actions depending on what it is. > Also we have custom error Servlet handler configured and in that also, we > do handle it as GET only. Might be worth checking how those servlets respond to non-GET requests. If you have only implemented doGet() your users could see a 405 response rather than the error page. That should be OK from a security point of view. > There are no static error files configured in our web application. Good. That removes probably the biggest risk which is the default servlet. > With these can be take this CVE is not application to our web application > with 8.5.14 tomcat? >From the information you have provided, you look to be OK but it is worth checking the few things I pointed out above. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
