Dear Apache Tomcat Team, I am writing to verify if my client environment is affected by the CVE-2024-56337 vulnerability in Apache Tomcat, related to remote code execution (RCE) via a write-enabled default servlet, which also impacts mitigation for CVE-2024-50379. Below are the details of the setup:
Environment Details: * Tomcat Version: 9.0.65 * Java Version: 11 * Operating System: RHEL 8 * File System: ext4 Configuration: * Readonly Initialization Parameter in Default Servlet: I have checked the web.xml file for the readonly parameter of the default servlet where it is not mentioned explicitly. Could you confirm if the default value (true) is sufficient, or if there are additional configuration steps required to mitigate the vulnerability in this case? Regards, Luqman C DevOps Engineer M : +91 9746578492 | Email: luqma...@polussolutions.com<mailto:luqma...@polussolutions.com>
