tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kumar, Abhishek (IT Information Services )" <>
Subject Vulnerability Issue with Apache Tomcat 8.0.15 with CSRF token
Date Tue, 10 Jan 2017 11:16:51 GMT


The Apache Tomcat web server running on the Load balancer is affected by an information disclosure
vulnerability in the index page of the Manager and Host Manager applications. An unauthenticated
attacker can exploit this vulnerability to obtain a valid cross-site request forgery (CSRF)
token during the redirect issued when requesting /manager/ or /host-manager/. This token can
be utilized by an attacker to construct a CSRF attack.

This is a Vulnerability issue with Tomcat 8.0.15.

We have this version of Tomcat installed in our Servers.

As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions.

Restrict access to the /manager URL from unauthorised IP addresses by implementing access
control lists that only permit authorised management stations or subnets. For more information,

But, We do not want to upgrade the Tomcat right now.

Is there a way to implement this fix in our current Tomcat Version.

Kind Regards,
Abhishek Kumar

Note: This email, including any attachments, is confidential. If you have received this email
in error, please advise the sender and delete it and all copies of it from your system. If
you are not the intended recipient of this email, you must not use, print, distribute, copy
or disclose its content to anyone

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message