tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
Date Thu, 18 Oct 2018 15:38:37 GMT
Hash: SHA256


On 10/18/18 11:08, Alex O'Ree wrote:
> Basically. I start with the tomcat distro, apply my changes,  then
> zip it up and distribute. I'm at a situation when patches are
> preferable over a complete reinstall of my product thus the
> inquiry.  I can probably just replace all the tomcat bits and be
> done with it.

Tomcat only ships with .jar files and configuration. Feel free to just
overwrite all the JAR files with the newer Tomcat ones. It's just as
easy to replace all two-dozen of them as it would be to replace a
single one, right?

- -chris

> On Thu, Oct 18, 2018, 8:52 AM Christopher Schultz < 
>> wrote:
> Alex,
> On 10/14/18 18:06, Alex O'Ree wrote:
>>>> Is there perhaps a patch that can be applied or better yet, a
>>>> list of jars that are were affected by this? (I'm just trying
>>>> to find a simple way to patch a large volume of servers)
> There is nothing official. Nobody has individually identified
> which svn revisions fix this issue, so your only options really
> are:
> 1. Grab the previous version from source, apply all patches and
> deploy (this is the same as just grabbing the new binaries,
> assuming you trust ASF distros)
> 2. Grab the new binaries, determine which JARs are different
> (which may not be super-easy), then copy those to each server. But
> then you have a server which reports x.y.z but is actually x.y.z+∂
> :(
> 3. Look at all the commits in ∂ and try to guess the problem.
> Then, mitigate it at e.g. reverse-proxy of WAF level. One way would
> be to prevent redirects to sites other than your own (which is
> really the big danger for open-redirects). Just look for
> sketchy-looking Location response headers. :)
> I'm curious how you handle upgrades in general. This certainly
> isn't the first security issue inn Tomcat that requires an update
> in your environment. How do you usually handle updates?
> -chris
>>>> On Wed, Oct 10, 2018 at 10:23 AM Christopher Schultz < 
>>>>> wrote:
>>>> Mark and Michael,
>>>> On 10/10/18 05:15, Mark Thomas wrote:
>>>>>>> On 08/10/18 21:55, Michael Yoder wrote:
>>>>>>>> On Wed, Oct 3, 2018 at 12:50 PM Mark Thomas 
>>>>>>>> <> wrote:
>>>>>>>>> CVE-2018-11784 Apache Tomcat - Open Redirect
>>>>>>>> Is it possible to get more information on the
>>>>>>>> "specially crafted URL"? I'd like more information so
>>>>>>>> that I can test if some of our apps are vulnerable.
>>>>>>> Generally, there is a balance to strike here between
>>>>>>> making it easy for the less technically competent
>>>>>>> attackers to construct an attack and making it easy for
>>>>>>> end users to figure out if they are vulnerable. The way
>>>>>>> we typically do this is by describing the conditions
>>>>>>> necessary for an attack to be possible as completely as
>>>>>>> possible but not providing details of how to perform an
>>>>>>> attack.
>>>>>>> We also provide references to the commit that fixed
>>>>>>> the issue. For someone with the right skills, there is
>>>>>>> usually enough information in the description and the
>>>>>>> commit for a successful attack to be reverse
>>>>>>> engineered.
>>>> It doesn't look like Sergey has posted anything (that I can
>>>> find) that might be called a full disclosure. If he had, I'd
>>>> point it out.
>>>> If I were you, I'd just make sure that you either (a) upgrade
>>>> or (b) use the existing settings to mitigate the potential
>>>> problem, as described in the announcement.
>>>> -chris
>>>>> ------------------------------------------------------------------
- ---
To unsubscribe, e-mail:
>>>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
To unsubscribe, e-mail:
>> For additional commands, e-mail:
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message