geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <kevan.mil...@gmail.com>
Subject [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
Date Thu, 18 Oct 2007 19:22:21 GMT
The Geronimo project has learned of a security vulnerability in the  
Apache Tomcat Webdav Servlet implementation. If you use a Tomcat  
configuration of Geronimo and configure a write-enabled Webdav  
servlet, you may be affected by this vulnerability. If you do not  
configure the Webdav servlet or configure read-only Webdav servlets,  
you are not impacted by this vulnerability. Jetty configurations of  
Geronimo are not affected by this vulnerability.

This vulnerability impacts all Geronimo releases. Up to and including  
Geronimo 2.0.2.

For specific information regarding the Tomcat issue, see http://mail- 
archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D. 
1000705@apache.org%3e

By default, Geronimo releases do not use the Webdav servlet. However,  
it is possible for the Webdav Servlet to be configured or referenced  
by a user-written application.

The Webdav Servlet could be explicitly configured in a web.xml  
deployment descriptor as follows:

          ...
     <servlet>
         <servlet-name>webdav</servlet-name>
         <servlet-class>org.apache.catalina.servlets.WebdavServlet</ 
servlet-class>
         <init-param>
           <param-name>readonly</param-name>
           <param-value>false</param-value>
         </init-param>
     </servlet>

Alternatively, a user's application could extend the WebdavServlet,  
for example:

         import org.apache.catalina.servlets.WebdavServlet;
         public class MyServlet extends WebdavServlet {
    ...

If you configure a write-enabled Webdav servlet, we recommend that you:

   - Disable write access to the Webdav Servlet until this problem  
has been fixed, or
   - Limit access to the Webdav servlet to only trusted users.

This vulnerability will be fixed in the next release of Geronimo  
(2.0.3 and/or 2.1).

--kevan
Mime
View raw message