tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat issue (Solaris 10)
Date Thu, 08 Sep 2011 15:18:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Amit,

On 9/7/2011 6:38 PM, Christopher Schultz wrote:
> I've been trying to determine if using an AJP "secret" will thwart 
> this kind of attack. I suspect it will, but I can't get my TC to
> take a secret just now (see my post under separate cover).

Confirmed: setting a "secret" on your AJP connection will prevent
these types attack messages from being processed by Tomcat.

See the CVE announcement which includes this technique as a mitigatory
action:
http://markmail.org/message/w5ya5e2xv5xaw3zd

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5o3M8ACgkQ9CaO5/Lv0PBmHQCfdQGi2QG3wBQkOnqeere8mbye
iycAoLQgrYli6WDNICoB6I/scvqeYpHH
=a1RF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message