You are here

Tomcat: Security constraint bypass

Tomcat, Error Pages, PUT, DELETE

Apache Tomcat fixed the vulnerability CVE-2017-5664 in versions 6.0.53, 7.0.78, 8.0.44.and 8.5.15

Airlock WAF and Airlock IAM are not affected and are protecting back-end applications


Tomcat delivers the error pages through the DefaultServlet. Vulnerability CVE-2017-5664 affects systems that allow the DefaultServlet to handle write operations - such as PUT or DELETE. This is possible when the readonly attribute of the DefaultServlet is set to "false". The default for this attribute is "true". Systems that do not have explicitly set readonly=false are safe. Airlock WAF, Airlock Login and Airlock IAM are not setting this value to "false".

Airlock WAF protects back-end systems by limiting the allowed HTTP methods to GET and POST by default. Additional methods are possible, but they have to be explicit allowed by the administrator. We assume that such changes are only done if the application can handle those methods correctly.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock