Hi,
I'm using Tomcat 6.0.29. In my site, I'm using a security certificate from <http://www.securitymetrics.com> www.securitymetrics.com, which has been invalidated today argumenting the following reason: Description: JRun JSESSIONID weakness Severity: Potential Problem CVE: CVE-2004-1478 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1478> CVE-2004-2182 <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2182> Impact: Several vulnerabilities in JRun server could allow an intruder to view arbitrary files, execute arbitrary code, or list directories on the server. Background: JRun is a Java application server from Macromedia. It runs on both Unix and Windows NT/2000 systems, and can act as a standalone server or connect with Apache, IIS or Netscape web servers. ColdFusion is a web application development Solution which can run with or without a web application server. Resolution For JRun 2.3.3, apply the patches referenced in Macromedia Product Security Bulletins [http://www.adobe.com/devnet/security/se curity_zone/asb00-28.html <http://www.adobe.com/devnet/security/security_zone/asb00-28.html> ] 00-28 and [http://www.adobe.com/devnet/security/se curity_zone/asb00-29.html <http://www.adobe.com/devnet/security/security_zone/asb00-29.html> ] 00-29. For JRun 3.0 and 3.1, install the cumulative patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb04-08.html <http://www.adobe.com/devnet/security/security_zone/mpsb04-08.html> ] 04-08. For JRun 4.0, install the cumulative patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb05-13.html <http://www.adobe.com/devnet/security/security_zone/mpsb05-13.html> ] 05-13 and the patches in Adobe Product Security Bulletin [http://www.adobe.com/support/security/b ulletins/apsb07-05.html <http://www.adobe.com/support/security/bulletins/apsb07-05.html> ] 07-05 and [http://www.adobe.com/support/security/b ulletins/apsb09-12.html <http://www.adobe.com/support/security/bulletins/apsb09-12.html> ] 09-12. For ColdFusion MX 6.0 and 6.1, install the patch referenced in Macromedia Product Security Bulletin [http://www.adobe.com/devnet/security/se curity_zone/mpsb04-09.html <http://www.adobe.com/devnet/security/security_zone/mpsb04-09.html> ] 04-09 and the patch in Adobe Product Security Bulletin [http://www.adobe.com/support/security/b ulletins/apsb07-05.html <http://www.adobe.com/support/security/bulletins/apsb07-05.html> ] 07-05. Bulletins can be found in the [http://www.adobe.com/support/security/ ] Macromedia Security Zone. Vulnerability Details: Service: http [More] I'm not using Jrun, but I guess the vulnerability applies also to Tomcat 6.0.29 so they treated me as if I was using Jrun with that vulnerability. Does anybody know what should I do to solve this now? I guess they are talking about this issue (please read issue # 2): http://www.developer.com/java/web/article.php/3904871/Top-7-Features-in-Tomc at-7-The-New-and-the-Improved.htm Brian
