tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bradley, Richard" <rmbrad...@blm.gov>
Subject Re: [EXTERNAL] Re: Configuring CORS filter
Date Wed, 20 Jun 2018 19:34:11 GMT
Thank you Mark!  For the quick reply!  Yeah...Apache reports it as LOW and
they report as MEDIUM.  We have to mitigate all MEDIUM and HIGH
vulnerabilities.

Best regards,

Rick


On Wed, Jun 20, 2018 at 1:00 PM, Mark Thomas <markt@apache.org> wrote:

> On 20/06/18 18:16, Bradley, Richard wrote:
> > Hello,
> >
> > Tomcat version: 8.5.31
> > O/S: Windows Server 2008 R2
> >
> > McAfee vulnerability checker has reported a MEDIUM level vulnerability as
> > follows:
> >
> > Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
> > [FID 23621]
> >
> > Apache Software Foundation reports this in  announce@tomcat.apache.org
> > <https://lists.apache.org/list.html?announce@tomcat.apache.org>:
> >
> > CVE-2018-8014 Insecure defaults for CORS filter
> >
> > and the only mitigation is to "Configure the filter appropriately for
> your
> > environment"
> >
> > My question is:
> >
> > What if you don't have a CORS filter configured anywhere in the Tomcat
> and
> > web apps associated web.xml files?
>
> You have nothing to worry about.
>
> Well, apart from the poor quality of your vulnerability scanner that
> looks like it is reporting a CORS issue without checking to see if CORS
> headers are being sent.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


-- 
Richard M. Bradley (Rick)

*Geospatial Engineer*
BLM NOC EGIS
Sanborn Map Company, Inc.
Phone number: (303) 236-4538
rmbradley@blm.gov




"Decide that you want it more than you're afraid of it.  Your greatest
dreams are all on the other side of the wall of fear and caution."

- Unknown

This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message