tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
Date Thu, 18 Oct 2018 15:38:37 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Alex,

On 10/18/18 11:08, Alex O'Ree wrote:
> Basically. I start with the tomcat distro, apply my changes,  then
> zip it up and distribute. I'm at a situation when patches are
> preferable over a complete reinstall of my product thus the
> inquiry.  I can probably just replace all the tomcat bits and be
> done with it.

Tomcat only ships with .jar files and configuration. Feel free to just
overwrite all the JAR files with the newer Tomcat ones. It's just as
easy to replace all two-dozen of them as it would be to replace a
single one, right?

- -chris

> On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> Alex,
> 
> On 10/14/18 18:06, Alex O'Ree wrote:
>>>> Is there perhaps a patch that can be applied or better yet, a
>>>> list of jars that are were affected by this? (I'm just trying
>>>> to find a simple way to patch a large volume of servers)
> 
> There is nothing official. Nobody has individually identified
> which svn revisions fix this issue, so your only options really
> are:
> 
> 1. Grab the previous version from source, apply all patches and
> deploy (this is the same as just grabbing the new binaries,
> assuming you trust ASF distros)
> 
> 2. Grab the new binaries, determine which JARs are different
> (which may not be super-easy), then copy those to each server. But
> then you have a server which reports x.y.z but is actually x.y.z+∂
> :(
> 
> 3. Look at all the commits in ∂ and try to guess the problem.
> Then, mitigate it at e.g. reverse-proxy of WAF level. One way would
> be to prevent redirects to sites other than your own (which is
> really the big danger for open-redirects). Just look for
> sketchy-looking Location response headers. :)
> 
> I'm curious how you handle upgrades in general. This certainly
> isn't the first security issue inn Tomcat that requires an update
> in your environment. How do you usually handle updates?
> 
> -chris
> 
>>>> On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < 
>>>> chris@christopherschultz.net> wrote:
>>>> 
>>>> Mark and Michael,
>>>> 
>>>> On 10/10/18 05:15, Mark Thomas wrote:
>>>>>>> On 08/10/18 21:55, Michael Yoder wrote:
>>>>>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas 
>>>>>>>> <markt@apache.org> wrote:
>>>>>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect
>>>>>>>> 
>>>>>>>> Is it possible to get more information on the
>>>>>>>> "specially crafted URL"? I'd like more information so
>>>>>>>> that I can test if some of our apps are vulnerable.
>>>>>>> 
>>>>>>> Generally, there is a balance to strike here between
>>>>>>> making it easy for the less technically competent
>>>>>>> attackers to construct an attack and making it easy for
>>>>>>> end users to figure out if they are vulnerable. The way
>>>>>>> we typically do this is by describing the conditions
>>>>>>> necessary for an attack to be possible as completely as
>>>>>>> possible but not providing details of how to perform an
>>>>>>> attack.
>>>>>>> 
>>>>>>> We also provide references to the commit that fixed
>>>>>>> the issue. For someone with the right skills, there is
>>>>>>> usually enough information in the description and the
>>>>>>> commit for a successful attack to be reverse
>>>>>>> engineered.
>>>> 
>>>> It doesn't look like Sergey has posted anything (that I can
>>>> find) that might be called a full disclosure. If he had, I'd
>>>> point it out.
>>>> 
>>>> If I were you, I'd just make sure that you either (a) upgrade
>>>> or (b) use the existing settings to mitigate the potential
>>>> problem, as described in the announcement.
>>>> 
>>>> -chris
>>>>> 
>>>>> ------------------------------------------------------------------
- ---
>>>>>
>>>>>
>
>>>>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail:
>>>>> users-help@tomcat.apache.org
>>>>> 
>>>>> 
>>>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvIqP0ACgkQHPApP6U8
pFgc9A//Qw9voOII2A/tOhYKSlyAK4psc5Cmq0Yf0DDtDYJzWYNrIHg50gXYB/lh
HnaPEYWLuhIcOHYVI/37FXiOpBLA502U4U/shY5kncA7aNvOYMM7wRd+BM5FJEOK
b6W6P2oFqc+vuJXfGknoT7Ff7CCRkRE7vBRvZH9FHxMXqrpCInl3n5/NAvgjkuHn
pA1rhCsu1+n7y6kDUhiL7HvY2SwYKfqx0WrhDfCyc9bzqPN9urP0uWZm4lJ1LP4V
+PdbtEegTLrBXUA0A5IMXmTHItmACqdDh/K9XDIkfh2201igLFLAnXjFPM72dMUx
wz0jEX/4x/cgy0GEgDG5DURyuHIP8OzuD2xPM3PdB88/DQhN8pnd7nZ6gBPEere8
OAX+nrYNpI6MhHet6zeRAf0HBOXHDrgj86nxB9iPV02JQn5Y8tLIaVKeJ5JbH6L0
rzlDw+0CHXxnaz+p1ZzcxDjUckZQJsAHVZa7SqSfY54Oe4keSX5dihlyi7iT7JEd
On74o+sYd2F2fhEd1QgWT3kxjhdCcgsfOAwZRX+PYCVPfx/L4vv2IyUnotzxXaoM
u267+lUkD1e6/A7pLRRcNreW8TT/C39LphdjaGmShkJzKgixr6py8j/9OmakOY8S
8t0s/xkk3PFUGnKL7gFi/+rfTobbEM3TARRxqhmgkaqJcDB4Gg8=
=AYwn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message