Le 24/02/2020 à 14:32, Joost van Baal-Ilić a écrit : > Tomcat as shipped by Debian is likely not vulnerable from the network in the > default configuration, since by default Tomcat AJP Connector only listens on > localhost:8009, not on *:8009 .
I confirm the Tomcat packages shipped in Debian aren't vulnerable with the default configuration, the AJP connector has been disabled by default since 2008. https://salsa.debian.org/java-team/tomcat9/blob/debian/9.0.16-4/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch https://salsa.debian.org/java-team/tomcat8/blob/debian/8.5.50-0+deb9u1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch https://salsa.debian.org/java-team/tomcat7/blob/debian/7.0.56-3+really7.0.91-1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch Emmanuel Bourg