On 01/08/2019 20:07, Justiniano, Tony wrote:
> And that is what I was thinking, inadvertently, our scanning tool just found 
> the apache version during a scan and corresponded it (the apache version) 
> with a CVE.
> Do you concur?

Sounds likely. Most low quality scanning tools only look at the version


> Tony Justiniano
> Engineer I, EUS Engineering
> Wyndham Destinations
> 6277 Sea Harbor Drive
> Orlando, FL 32821
> Office: +1-407-626-5416
> Mobile: +1-407-463-4297
> tony.justini...@wyn.com
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, August 1, 2019 3:05 PM
> To: users@tomcat.apache.org
> Subject: Re: FW: Apache Vulnerability - Understanding Connector Protocols
> This e-mail is from an external source.  Use caution when opening attachments 
> or clicking on links.
> On 01/08/2019 19:49, Justiniano, Tony wrote:
>> Forwarding from an initial email this morning.
>> _______________________________________________________
>> Good Morning,
>> I have been referred to this team in an attempt to have some questions 
>> answered.  Before I ask those question let me provide a little background on 
>> how I got to this point.
>> Vulnerability scans showed that two of my servers in the DMZ came back with 
>> CVE-2019-10072 vulnerability.  The CVE information is below:
>> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
>> connection window exhaustion on write in Apache Tomcat versions
>> 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
>> messages for the connection window (stream 0) clients were able to
>> cause server-side threads to block eventually leading to thread
>> exhaustion and a DoS.
>> (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201
>> 9-10072>)
>> The question I have is based on the server.xml configuring the connector and 
>> protocols used.  Below are both of my servers server.xml connector entries:
>> Server6: <Connector port="443" 
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> Server5: <Connector port="443" 
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> What I have highlighted are the protocols that are used for those specific 
>> connectors on the servers.
>> So, my question is in your professional opinions, if I'm not calling the 
>> http2 protocol in any connector, my servers shouldn't be susceptible to the 
>> particular CVE's vulnerability assessment.
>> Please let me know if this question can be answered.
> If you don't have
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> nested in a Connector anywhere in your server.xml that you can't possibly be 
> vulnerable to HTTP/2 related vulnerabilities.
> Looks like it is time to start shopping for a new vulnerability scanner.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> This email message (including all attachments) is for the sole use of the 
> intended recipient(s) and may contain confidential and/or privileged 
> information, or may otherwise be protected by work product or other legal 
> rules. If you are not the intended recipient, please contact the sender by 
> reply email and destroy all copies of the original message. Unless otherwise 
> indicated in the body of this email, nothing in this communication is 
> intended to operate as an electronic signature and this transmission cannot 
> be used to form, document, or authenticate a contract. Wyndham Destinations, 
> Inc., and/or its affiliates may monitor all incoming and outgoing email 
> communications, including the content of emails and attachments, for 
> security, legal compliance, training, quality assurance and other purposes. 
> The sender believes that this email and any attachments were free of any 
> virus, worm, Trojan horse, malicious code and/or other contaminants when 
> sent. Email transmissions cannot be guaranteed to be secure or error-free, so 
> this message and its attachments could have been infected, corrupted or made 
> incomplete during transmission. By reading the message and opening any 
> attachments, the recipient accepts full responsibility for any viruses or 
> other defects that may arise, and for taking remedial action relating to such 
> viruses and other defects. Neither Wyndham Destinations, Inc., nor any of its 
> affiliated entities is liable for any loss or damage arising in any way from, 
> or for errors or omissions in the contents of, this message or its 
> attachments.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to