Bill Barker wrote:
"Jess Holle" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
This vulnerability note has to be amongst the most vague and least
informative I've ever seen. It says that Tomcat 3.x and AJP12 has an
issue and that the issue is not present in Tomcat 5.
What about Tomcat 4 and 4.1? What about AJP13? The report simply does
not address any of these variations.
AJP12 is deprecated in Tomcat 3.3.x, and isn't supported at all in Tomcat >=
4.
I know, which is why I was rather critical of the vulnerability note.
It raises general fears and questions but only sheds very little light
on the situation for anyone not using Tomcat 5.
At a guess, the AJP13 variant of it is http://issues.apache.org/bugzilla/show_bug.cgi?id=31204.
That sounds logical. Of course, a firewall seems like a better solution
to the whole class of issues here.
On the other hand, any production installation should block communication
on the AJP 12 or AJP13 port except where it is coming from Apache. This
completely addresses the vulnerability irrespective of version.
--
Jess Holle