tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: tomcat 6.0.18 shutdown address
Date Thu, 18 Feb 2010 15:52:55 GMT
Curtis Garman wrote:
> Is this something new for tomcat 6?...I was told there was a security
> vulnerability there with tomcat 5

Yes.  At some point in time inversion 5.0 or 5.5 or 6.0, someone 
realised that if this "shutdown port" allowed connections from anywhere, 
there was a theoretical possibility that some miscreant, if he also knew 
the shutdown "password string" (the one indicated by the "shutdown" 
attribute), might send it just to be a pain and annoy everyone by 
shutting down Tomcat.
That was when it was decided to only allow connections from localhost on 
that port, to restrict the attack surface.
Of course, as long as they do not know this shutdown string (because you 
have changed it from the default), they cannot use this anyway.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message