On 14/03/2018 01:04, Harish Krishnan wrote:
Hi All,Thanks for all the help and work you great people do. My question is regarding CVE-2018-1305 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305> and CVE-2018-1304 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304> that were fixed in the latest builds. We use Tomcat 7.x. a) When can we expect the CVE scores determined for these vulnerabilities. On NVD, it still says awaiting analysis. This information would help us determine the SLA on when we can update tomcat builds.
The Tomcat community does not provide CVSS scores. There are multiple reasons for this including:
- they are too subjective; - the true score depends on how Tomcat is being used and that can only be determined by the user and can vary wildly from user to user for any one vulnerability.The correct thing to do is exactly what you are doing. Review the vulnerabilities, figure out of they impact you or not and, if they do impact you, figure out the extent of that impact, what you need to to to mitigate that impact and how quickly you need to do it.
b) Regarding 1st CVE (#1305), we do not use annotation based security constraints. Instead we configure it in our web.xml. With this understanding, is it safe to consider we are not vulnerable?
Correct. You are not vulnerable because you do not define security constraints via annotations.
c) Regarding 2nd CVE (#1304), the url pattern in all our security
constraints is of the format "/*".
* i believe would include everything.
To confirm with you, does this include the empty ("") string to make our
usage vulnerable too?
No. You are not vulnerable. The vulnerability only applies if the url pattern of the empty string is used to define a security constraint.
Kind regards, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
