Hi,

The Apache Tomcat web server running on the Load balancer is affected by an 
information disclosure vulnerability in the index page of the Manager and Host 
Manager applications. An unauthenticated attacker can exploit this 
vulnerability to obtain a valid cross-site request forgery (CSRF) token during 
the redirect issued when requesting /manager/ or /host-manager/. This token can 
be utilized by an attacker to construct a CSRF attack.

This is a Vulnerability issue with Tomcat 8.0.15.

We have this version of Tomcat installed in our Servers.

As suggested by Tomcat, this has been addressed and fixed after 8.0.32 versions.

Restrict access to the /manager URL from unauthorised IP addresses by 
implementing access control lists that only permit authorised management 
stations or subnets. For more information, see:

https://urldefense.proofpoint.com/v2/url?u=http-3A__tomcat.apache.org_security-2D8.html-23Fixed-5Fin-5FApache-5FTomcat-5F8.0.32&d=DgIFAg&c=ZgVRmm3mf2P1-XDAyDsu4A&r=-JJsXOks_2Pd13691jEHA6PBSyPcGzblOMm00qdlxbs&m=54nd4qu7eMUZgW9FFIX2Q9G2FdQGJ69mCZu7VvFyN0s&s=y_OfZJOm3x6d8KgLtJS6flhRUDt_I8Aqk6kymbu3u2k&e=


But, We do not want to upgrade the Tomcat right now.

Is there a way to implement this fix in our current Tomcat Version.


Kind Regards,
Abhishek Kumar

Note: This email, including any attachments, is confidential. If you have 
received this email in error, please advise the sender and delete it and all 
copies of it from your system. If you are not the intended recipient of this 
email, you must not use, print, distribute, copy or disclose its content to 
anyone

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to