Lynch, Charles [USA] wrote:
Thank you. I am fairly unfamiliar with Apache as a whole. Simply trying to
address our possible attack surfaces. I appreciate your assistance.
Welcome.
By the way, I found the reference to the article below by entering this on
Google :
CVE-2014-7810 and Tomcat
So if you have any more similar issues..
The references at the bottom of that article may also be of help :
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html
(or not, as the case may be. But it is always better to be informed, isn't it ?)
________________________________
From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 8:32 AM
To: Tomcat Users List
Subject: Re: [External] Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote:
You are saying a malicious actor would need to be on the server itself to load
an application?
Basically yes, or be allowed to load and deploy applications via the Manager
application
(which is either not installed, or anyway secured by default)
It is fairly clear in the mail archive article I quoted below, which is signed
by one of
the core Tomcat developers.
________________________________
From: André Warnier [a...@ice-sa.com]
Sent: Thursday, June 25, 2015 7:55 AM
To: Tomcat Users List
Subject: [External] Re: CVE-2014-7810 Mitigation
Lynch, Charles [USA] wrote:
Seeking guidance on mitigation of
CVE-2014-7810<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810> on
Apache Tomcat 6.0.37. Upgrading to 6.0.43 is not an option for my team at the moment,
and we need to secure our install via other means until the patch can be applied. If
there are any workaround that can be provided it would be much appreciated. Thank you.
Hi.
Maybe the first thing to ask yourself, is if you are in a situation where you
are really
vulnerable to this vulnerability.
I am not an expert, but from the description, it sounds like this vulnerability
could only
be exploited by someone who has the possibility to load a malicious web
application into
the Tomcat system, and have it be run.
Is that your case ?
See
http://mail-archives.apache.org/mod_mbox/www-announce/201505.mbox/%3c5554ab1c.7050...@apache.org%3E
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
