tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: Vulnerability Remediation
Date Fri, 04 Nov 2011 20:35:30 GMT

The link is a list of the files that were modified to fix the
vulnerability.  These files can be used to patch the source code for
Tomcat.  After patching the source code, you would then need to
recompile it and update your Tomcat installation with the recompiled

In my opinion, it's easier to apply one of the mitigations now and
upgrade to Tomcat 6.0.34 when it is officially released.

* Configure both Tomcat and the reverse proxy to use a shared secret.
(It is "request.secret" attribute in AJP <Connector>,
"worker.workername.secret" directive for mod_jk. The mod_proxy_ajp
module currently does not support shared secrets).
  * Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector
(It is automatically selected if you do not have Tomcat-Native library
installed. It can be also selected explicitly: <Connector


On Fri, 2011-11-04 at 13:20 -0700, Brendan P Keenan wrote:
> It has been identified to me by our security group that my Apache Tomcat
> 6.0.33 has the following vulnerability CVE-2011-3190. There is a link on
> the Apache Tomcat 6.0 Security page to
> as a patch.
> The link list three files:
> /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/
> /tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/
> /tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
> There is no trunk or java/org/apache/coyote directory in my installation.
> Do I add those directories to apply the patch.
> I am completely new at all of this so all help and direction is appreciated
> and necessary.
> Thanks
> Brendan P Keenan
> Mainframe Automation
> Home Office - Columbia, CT USA
> GOS | Global Enterprise Service Mgmt | 1.860.416.0251 | |
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery.
> NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
> any order or other contract unless pursuant to explicit written agreement
> or government initiative expressly permitting the use of e-mail for such
> purpose.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
View raw message