On Thu, Dec 26, 2024 at 2:56 PM Luqman C <luqma...@polussolutions.com.invalid> wrote: > > Dear Apache Tomcat Team, > I am writing to verify if my client environment is affected by the > CVE-2024-56337 vulnerability in Apache Tomcat, related to remote code > execution (RCE) via a write-enabled default servlet, which also impacts > mitigation for CVE-2024-50379. Below are the details of the setup: > > Environment Details: > > * > Tomcat Version: 9.0.65 > * > Java Version: 11 > * > Operating System: RHEL 8 > * > File System: ext4 > > Configuration: > > * > Readonly Initialization Parameter in Default Servlet: I have checked the > web.xml file for the readonly parameter of the default servlet where it is > not mentioned explicitly. > > Could you confirm if the default value (true) is sufficient, or if there are > additional configuration steps required to mitigate the vulnerability in this > case?
Yes, it's only in write mode (readonly set to false, which is obviously not the default value). Very very few people would be affected. Rémy > Regards, > > Luqman C > > DevOps Engineer > > M : +91 9746578492 | Email: > luqma...@polussolutions.com<mailto:luqma...@polussolutions.com> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
