Hi, The Apache Tomcat web server running on the Load balancer is affected by an information disclosure vulnerability in the index page of the Manager and Host Manager applications. An unauthenticated attacker can exploit this vulnerability to obtain a valid cross-site request forgery (CSRF) token during the redirect issued when requesting /manager/ or /host-manager/. This token can be utilized by an attacker to construct a CSRF attack.
This is a Vulnerability issue with Tomcat 8.0.15. We have this version of Tomcat installed in our Servers. As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions. Restrict access to the /manager URL from unauthorised IP addresses by implementing access control lists that only permit authorised management stations or subnets. For more information, see: https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e= But, We do not want to upgrade the Tomcat right now. Is there a way to implement this fix in our current Tomcat Version. Kind Regards, Abhishek Kumar Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
