From users-return-264905-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Wed Jun 20 21:34:28 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 15DD3180648 for ; Wed, 20 Jun 2018 21:34:27 +0200 (CEST) Received: (qmail 26302 invoked by uid 500); 20 Jun 2018 19:34:26 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 26290 invoked by uid 99); 20 Jun 2018 19:34:26 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Jun 2018 19:34:26 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CBC66C00C9 for ; Wed, 20 Jun 2018 19:34:25 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -3.111 X-Spam-Level: X-Spam-Status: No, score=-3.111 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=blm.gov Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id YE3hDRgfWpLk for ; Wed, 20 Jun 2018 19:34:24 +0000 (UTC) Received: from smtp1.doi.gov (smtp1.doi.gov [137.227.82.11]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 621F45F195 for ; Wed, 20 Jun 2018 19:34:23 +0000 (UTC) Received: from smtp3.smgd.doi.gov (10.10.82.13) by smtp1.doi.gov (10.10.82.21) with Microsoft SMTP Server (TLS) id 14.3.399.0; Wed, 20 Jun 2018 13:34:17 -0600 DKIM-Signature: v=1; a=rsa-sha256; d=blm.gov; s=mail; c=relaxed/simple; q=dns/txt; i=@blm.gov; t=1529523255; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z5uIAy/bRYc8wEczf7AkFD7HjkAWi6ZGMx1i2oTAl68=; b=w6Tiq6+VMp+ZcU6cHDiP1PjhCZGYMpoox35EFf7Am0rTDa+CXDpnTB4a70OiVUgA UrFiPjj93mNlrfWLKRKbM3oOLdZHLnAdNII1I8o7cbQRzyjKujhmf662j+ppGdwr NE2HJjYMhR79FJmIWnO4J+sbJqLN6B5H5ameJZe9Xd8=; X-AuditID: 0a0a520d-797ff70000006f02-07-5b2aac37b2c9 Received: from gsmtp2.doi.gov ( [10.10.82.16]) (using TLS with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by smtp3.smgd.doi.gov (Hello) with SMTP id B8.A1.28418.73CAA2B5; Wed, 20 Jun 2018 13:34:15 -0600 (MDT) Received: from mail-qt0-f198.google.com (209.85.216.198) by gsmtp2.doi.gov (137.227.82.16) with Microsoft SMTP Server (TLS) id 14.3.399.0; Wed, 20 Jun 2018 13:34:13 -0600 Received: by mail-qt0-f198.google.com with SMTP id f8-v6so516813qtb.23 for ; Wed, 20 Jun 2018 12:34:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=7qLZzfc02QU9++bWEP1uIG4LuHdbGj0wOD41ZgbMlso=; b=P7n3Mt1nI6q3SARZTgtBN2jQtk/4cTEx9rj8HUKRTNLNGb4jh0YZeWv3Q+q2nrTib+ vHmG/cJWwYfWuRYfyAWEesXHPx9BycLMpMAsaTB8nbhQYN0gfEYUK8QLl3N4CxuLkmEg 6AtaHyAUPVUCVGa/M12nJjNmjGP1xsALGdCpiHDQ7xeJLwPKuCs08ecb60TtCWaJm672 GiizambNXHCjkE57xBE2FSLWpKfCkyYuc4e7YZPFRY9OANCRbTMhlZ1S8i1+tjmK/b87 P+ffkTgE/8yCDmaKWNcGzWn1jVnxZ+ESel9lxrdnMljr9D+ROOd5Ic0TfDmW+M1+u1dy stJQ== X-Gm-Message-State: APt69E2pxJY2YorGUxFgybqDpWZMs/WvX68Qn9kN60rmJ/IUSKh+Bkqy loB8+97wGAtENShJM/DVbp2IFCaOC6lppaMoNCYzg7Z2ch08DzK+qyYMXTQ5XYTvdhti8t04E9U rxTLUsQBuY7c6AjRXr61fN0Ro1X25f4w6rd9qk4+ivtpGWKpCW50HVK9WS1+SrUu64sy8LE0Nwc We+CsyKY8GmsSPeYBxqYI8UqO6uOb483NeLw== X-Received: by 2002:a0c:f586:: with SMTP id k6-v6mr19767271qvm.51.1529523253072; Wed, 20 Jun 2018 12:34:13 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJHyfbnUuHr6wxTP9NmkO/2+BeigUNy8yljMm1vvVpOvrI8TiM5YhS6a+gawnxt5K5l9vIpsryELuujsvz9T0s= X-Received: by 2002:a0c:f586:: with SMTP id k6-v6mr19767233qvm.51.1529523252161; Wed, 20 Jun 2018 12:34:12 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a37:a610:0:0:0:0:0 with HTTP; Wed, 20 Jun 2018 12:34:11 -0700 (PDT) In-Reply-To: <3694e95c-f3ed-b40a-2b83-a0fa8070ce28@apache.org> References: <3694e95c-f3ed-b40a-2b83-a0fa8070ce28@apache.org> From: "Bradley, Richard" Date: Wed, 20 Jun 2018 13:34:11 -0600 Message-ID: Subject: Re: [EXTERNAL] Re: Configuring CORS filter To: Tomcat Users List Content-Type: multipart/alternative; boundary="000000000000210b18056f17e200" X-Gm-Spam: 0 X-Gm-Phishy: 0 X-CFilter-Loop: Reflected X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCIsWRmVeSWpSXmKPExsXCxfzrna75Gq1og9/zpS22fvzK6MDosfFZ N3MAYxSXTUpqTmZZapG+XQJXxtPGDSwFax0q9l53amB8ad7FyMEhIWAiseNXbRcjF4eQwD9G iRmX+tghnHWMEnOe3wJyOIGcKYwSyyZlgCQkBBazSjTN3M4O4Uxkktj+fyZYlYRAvcS03jNQ dpHEowO/2CDsCon5M0+wgNi8AoISJ2c+YYGYGi6x/uRssHpOATuJ45d/sUCsbmGU2PYdYhCb gI7Et58/mEBsFgFViUPfF7FDDAqQ6Fv+DWyQsICxxPe5H9lA/hER0JfY8c4JJMws4COxedNS ZogbeCSmzL0IdRufxJorW6BukJM4v+AaVI2kxMEVN1gmMIrPQnLqLCSjIGxNidbtv9khbA2J BXf2MULY2hLLFr5mXsDIuopRqDi3pMBYrzg3PUUvJT9TLz2/bBMjKK64gnh3ME5aG3eIUYCD UYmH90aYVrQQa2JZcWXuIUYJDmYlEd41s4FCvCmJlVWpRfnxRaU5qcWHGKU5WJTEedUuhEUK CaQnlqRmp6YWpBbBZJk4OKUaGCd/85E5aLX8XteSNazs+Q4dz3/2lBeGKcsvCGvZqZU+f2Pz fP3j7I8/BOv9W73jBPvh1It1Jluednwq//2AtSvYJqjm7bpgycyLHGVrRKJKLYub9vmt6Jgh 172g8EL8IouGtYHOhj4RxcVrw6RZT01Z2qX35kJCCKdOJqfMNtG7PsVm+xvMlFiKMxINtZiL ihMB1XNf9KcCAAA= --000000000000210b18056f17e200 Content-Type: text/plain; charset="UTF-8" Thank you Mark! For the quick reply! Yeah...Apache reports it as LOW and they report as MEDIUM. We have to mitigate all MEDIUM and HIGH vulnerabilities. Best regards, Rick On Wed, Jun 20, 2018 at 1:00 PM, Mark Thomas wrote: > On 20/06/18 18:16, Bradley, Richard wrote: > > Hello, > > > > Tomcat version: 8.5.31 > > O/S: Windows Server 2008 R2 > > > > McAfee vulnerability checker has reported a MEDIUM level vulnerability as > > follows: > > > > Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32 > > [FID 23621] > > > > Apache Software Foundation reports this in announce@tomcat.apache.org > > : > > > > CVE-2018-8014 Insecure defaults for CORS filter > > > > and the only mitigation is to "Configure the filter appropriately for > your > > environment" > > > > My question is: > > > > What if you don't have a CORS filter configured anywhere in the Tomcat > and > > web apps associated web.xml files? > > You have nothing to worry about. > > Well, apart from the poor quality of your vulnerability scanner that > looks like it is reporting a CORS issue without checking to see if CORS > headers are being sent. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > -- Richard M. Bradley (Rick) *Geospatial Engineer* BLM NOC EGIS Sanborn Map Company, Inc. Phone number: (303) 236-4538 rmbradley@blm.gov "Decide that you want it more than you're afraid of it. Your greatest dreams are all on the other side of the wall of fear and caution." - Unknown This e-mail, including any attachments, contains information intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged and/or confidential or is otherwise protected by law. If you are not the intended recipient or agent or an employee responsible for delivering the communication to the intended recipient, you are hereby notified that any review, use, disclosure, copying and/or distribution of its contents is prohibited. If you have received this e-mail in error, please notify us immediately by reply to sender only and destroy the original. --000000000000210b18056f17e200--