yes, upgrading to 8.5 is work in progress, but would want to have a conclusive test that the same scenario fails in 8.0.X. What is the best way to distribute the POC code and what is required from our end to get access to it?
On Tue, Oct 1, 2019 at 1:54 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Martin, > > On 10/1/19 12:15, Martin Cocaro wrote: > > Thank you Chris for the answer. The EOL date and its policy made > > me wonder if the CVE was tested it against that version. > > > > Is there any place I can get a POC version of the CVE test case so > > that I can do the test myself against version 8.0.53? > Possibly, but we won't be distributing any PoC code, here. > > Why not simply plan to migrate to Tomcat 8.5? The process should be > fairly smooth. > > - -chris > > > On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Martin, > > > > On 10/1/19 10:35, Martin Cocaro wrote: > >>>> Apache Tomcat Users Team, > >>>> > >>>> The purpose of this email is to request information > >>>> regarding Apache Tomcat CVE-2018-8037 > >>>> <https://www.securityfocus.com/bid/104894/info> possibly > >>>> affecting version 8.0.X (particularly 8.0.53). The CVE was > >>>> made public on 22-July-2018, after being privately disclosed > >>>> on 16-Jun-2018. The EOL date of Tomcat 8.0.X was > >>>> 30-Jun-2018. > >>>> > >>>> Reaching out to you to get confirmation on whether the CVE > >>>> is confirmed to not affect the version 8.0.X or if the CVE > >>>> was not tested against such version at all as its EOL date > >>>> preceded the public disclosure. > >>>> > >>>> Your help on this matter would be greatly appreciated. > > > > That source you are reading (securityfocus) lists all of the > > vulnerable versions. If you look at the Mitre report, you'll see > > the same thing, except that they provide a *range* of versions > > instead of just the individual ones affected. > > > > No Tomcat 8.0.x versions appear in the list. > > > > I haven't personally tested Tomcat 8.0.x against any > > proof-of-concept code, but I do not believe it if/was vulnerable to > > this CVE. > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8 > pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ > xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo > 6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1 > x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe > a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN > Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv > MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S > bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds > DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4 > UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7 > SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc= > =RjHm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
