On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote:
Noting the Hardening of the class loader, is this going to require this to be a
security release of the newest Tomcat releases (forthcoming), or will they
still just be standard releases?
That change does not address a security vulnerability in Apache Tomcat.
There will be no CVE for this change.
We generally use hardening to refer to things that do not address a
vulnerability but improve the overall security posture. Typically, these
changes provide additional defense in depth.
In this instance, it mitigates CVE-2022-22965 which is a Spring
Framework vulnerability. The main purpose of the release is to provide
end users with an alternative option if updating Tomcat is simpler than
updating the version of Spring they are using.
To provide some context, similar recent hardening changes include:
- Using a constant time algorithm to compare passwords. Analysis showed
that a timing attack wasn't feasible but we switched now in case it
became feasible as some point in the future
- We changed the BeanFactory in 10.1.x (and might back-port the change)
to prevent it from being used if an application has a JNDI injection
vulnerability
Finally, we will either keep completely silent about security
vulnerabilities until they are published or we will be completely open
about them up front (e.g. if there is a zero day).
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
