Tomcat: Security constraint bypass

Submitted on 19. June 2017 - 16:18 by erwin.
Last update on 19. June 2017 - 16:59.

IDs:

CVE-2017-5664

Keywords:

Tomcat, Error Pages, PUT, DELETE

Description:

Apache Tomcat fixed the vulnerability CVE-2017-5664 in versions 6.0.53, 7.0.78, 8.0.44.and 8.5.15

Airlock WAF and Airlock IAM are not affected and are protecting back-end applications

Details:

Tomcat delivers the error pages through the DefaultServlet. Vulnerability CVE-2017-5664 affects systems that allow the DefaultServlet to handle write operations - such as PUT or DELETE. This is possible when the readonly attribute of the DefaultServlet is set to "false". The default for this attribute is "true". Systems that do not have explicitly set readonly=false are safe. Airlock WAF, Airlock Login and Airlock IAM are not setting this value to "false".

Airlock WAF protects back-end systems by limiting the allowed HTTP methods to GET and POST by default. Additional methods are possible, but they have to be explicit allowed by the administrator. We assume that such changes are only done if the application can handle those methods correctly.

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

Does not affect back-end behind Airlock

Reference:

[1] https://tomcat.apache.org/security-7.html

Main menu

Navigation

User menu

You are here

Tomcat: Security constraint bypass

Main menu

Search form

Navigation

User menu

You are here

Tomcat: Security constraint bypass