Don't think so. Apache just pass the traffic to Tomcat. We fronted our tomcat CAS server with Apache, and we could easily spike the CPU up by sending a custom header via curl in our testing environment. We applied the patch to our JVMs immediately.
Regards, Hongbo On 2/17/2011 3:28 PM, Bodine, James wrote: > > Does anyone have any information or thoughts on whether this > vulnerability (http://www.jasig.org/cas/news/cve-2010-4476) is > mitigated with Apache fronting tomcat? > > James Bodine > > Manager, Web Services & Middleware > > Fort Lewis College - Information Technology > > 970-247-7304 > > [email protected] > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- Hongbo HE Manager, Application Infrastructure Computing and Communications Services Ryerson University hongbo at ryerson dot ca 416 979 5000 ext 6576 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
