tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [Security] - Important vulnerability disclosed in Apache Tomcat webdav servlet
Date Mon, 15 Oct 2007 12:25:17 GMT
A vulnerability in the Apache Tomcat webdav servlet was publicly
disclosed on full-disclosure yesterday, 14-Oct-2007.[1]

The Tomcat security team has evaluated this vulnerability and
determined that default installations of Tomcat 6.0.x, 5.5.x and 4.1.x
and not affected.

In order to be affected systems must have:
- one or more contexts configured for webdav using Tomcat's built-in
webdav implementation
- enabled write capability via webdav

- Tomcat 6.0.x has no webdav enabled contexts by default
- Tomcat 5.5.x and 4.1.x have a read-only webdav enabled context
(/webdav) by default

Systems with write-enabled webdav contexts that use Tomcat's built-in
webdav servlet are exposed to this vulnerability which, for such
systems, is important.

The mitigations available are:
- Disable write access until a fixed version is released
- Limit write access to trusted users
- Apply the following patch which will be included in the next
releases of 6.0.x, 5.5.x and 4.1.x

Index: src/share/org/apache/catalina/servlets/
--- src/share/org/apache/catalina/servlets/
(revision 584648)
+++ src/share/org/apache/catalina/servlets/	(working
@@ -252,6 +252,7 @@
         try {
             documentBuilderFactory =
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder =
         } catch(ParserConfigurationException e) {
             throw new ServletException


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message