Geronimo
  1. Geronimo
  2. GERONIMO-3549

Potential vulnerability in Apache Tomcat Webdav servlet

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.1, 1.2, 2.0, 2.0.1, 2.0.2, 2.1
    • Fix Version/s: 2.0.3, 2.1
    • Component/s: Tomcat
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      Subject: [SECURITY] Potential vulnerability in Apache Tomcat Webdav servlet
      Date: Thu, 18 Oct 2007 13:40:24 -0400
      From: Kevan Miller <kevan.miller@gmail.com>
      Reply-To: dev@geronimo.apache.org
      To: Geronimo Dev <dev@geronimo.apache.org>

      The Geronimo project has learned of a security vulnerability in the
      Apache Tomcat Webdav Servlet implementation. If you use a Tomcat
      configuration of Geronimo and configure a write-enabled Webdav servlet,
      you may be affected by this vulnerability. If you do not configure the
      Webdav servlet or configure read-only Webdav servlets, you are not
      impacted by this vulnerability. Jetty configurations of Geronimo are not
      affected by this vulnerability.

      This vulnerability impacts all Geronimo releases. Up to and including
      Geronimo 2.0.2.

      For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e

      By default, Geronimo releases do not use the Webdav servlet. However, it
      is possible for the Webdav Servlet to be configured or referenced by a
      user-written application.

      The Webdav Servlet could be explicitly configured in a web.xml
      <http://web.xml/> deployment descriptor as follows:

      ...
      <servlet>
      <servlet-name>webdav</servlet-name>
      <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
      <init-param>
      <param-name>readonly</param-name>
      <param-value>false</param-value>
      </init-param>
      </servlet>

      Alternatively, a user's application could extend the WebdavServlet, for
      example:

      import org.apache.catalina.servlets.WebdavServlet;
      public class MyServlet extends WebdavServlet {
      ...

      If you configure a write-enabled Webdav servlet, we recommend that you:

      • Disable write access to the Webdav Servlet until this problem has
        been fixed, or
      • Limit access to the Webdav servlet to only trusted users.

      This vulnerability will be fixed in the next release of Geronimo (2.0.3
      and/or 2.1).

      --kevan

        Activity

        Hide
        Jay D. McHugh added a comment -

        Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue.

        Show
        Jay D. McHugh added a comment - Commits for Geronimo-3451 ('restricted listeners') also include necessary security fixes for this issue.

          People

          • Assignee:
            Jay D. McHugh
            Reporter:
            Donald Woods
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development