Thanks for the response and confirmation, Mark.

On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas <> wrote:

> On 14/03/2018 01:04, Harish Krishnan wrote:
>> Hi All,
>> Thanks for all the help and work you great people do.
>>   My question is regarding CVE-2018-1305
>> <> and
>> CVE-2018-1304 <
>> cvename.cgi?name=CVE-2018-1304>
>> that
>> were fixed in the latest builds.
>> We use Tomcat 7.x.
>> a) When can we expect the CVE scores determined for these vulnerabilities.
>> On NVD, it still says awaiting analysis.
>> This information would help us determine the SLA on when we can update
>> tomcat builds.
> The Tomcat community does not provide CVSS scores. There are multiple
> reasons for this including:
> - they are too subjective;
> - the true score depends on how Tomcat is being used and that can only
>   be determined by the user and can vary wildly from user to user for
>   any one vulnerability.
> The correct thing to do is exactly what you are doing. Review the
> vulnerabilities, figure out of they impact you or not and, if they do
> impact you, figure out the extent of that impact, what you need to to to
> mitigate that impact and how quickly you need to do it.
> b) Regarding 1st CVE (#1305), we do not use annotation based security
>> constraints. Instead we configure it in our web.xml.
>> With this understanding, is it safe to consider we are not vulnerable?
> Correct. You are not vulnerable because you do not define security
> constraints via annotations.
> c) Regarding 2nd CVE (#1304), the url pattern in all our security
>> constraints is of the format "/*".
>> * i believe would include everything.
>> To confirm with you, does this include the empty ("") string to make our
>> usage vulnerable too?
> No. You are not vulnerable. The vulnerability only applies if the url
> pattern of the empty string is used to define a security constraint.
> Kind regards,
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Reply via email to