(tomcat-training) branch main updated: Add presentation based on CVe-2024-50379

Tue, 11 Feb 2025 08:05:54 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-training.git


The following commit(s) were added to refs/heads/main by this push:
     new ec1eae8  Add presentation based on CVe-2024-50379
ec1eae8 is described below

commit ec1eae8490d3cc7926ae75446ddfbcb1821ad329
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Feb 11 16:03:57 2025 +0000

    Add presentation based on CVe-2024-50379
---
 index.html                                         |   1 +
 modules/cve-2024-50379.html                        | 212 +++++++++++++++++++++
 .../cve-handling-good-bad-ugly.html                |  55 +++---
 3 files changed, 238 insertions(+), 30 deletions(-)

diff --git a/index.html b/index.html
index d850dbb..a76fa48 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,7 @@
           <ul>
             <li><a href="presentations/tomcat-11-jakarta-ee-11.html">Tomcat 11 
and Jakarta EE 11</a></li>
             <li><a href="presentations/tomcat-11-preview.html">Tomcat 11 
Preview</a></li>
+            <li><a href="presentations/cve-handling-good-bad-ugly.html">CVE 
handling - the good, the bad & the ugly</a></li>
           </ul>
         </section>
         <section>
diff --git a/modules/cve-2024-50379.html b/modules/cve-2024-50379.html
new file mode 100644
index 0000000..f38b7d1
--- /dev/null
+++ b/modules/cve-2024-50379.html
@@ -0,0 +1,212 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Agenda</h3>
+  <p>Background</p>
+  <p>CVE-2024-50379<p>
+  <p>CVE-2024-56337</p>
+  <p>Reflections</p>
+  <p>Questions</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Background</h3>
+  <p>URLs are case sensitive</p>
+  <p>URLs are very often mapped to file systems</p>
+  <p>Windows and MacOS file systems are (usually) case insensitive</p>
+  <p>Need to be able to differentiate between a request for a.Jsp and a.jsp</p>
+  <p>File.getCanonicalPath()</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Note</h3>
+  <p>Summaries of the much longer emails</p>
+  <p>Some emails have been skipped</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Friday 18 October 2024</h3>
+  <p align="left">10:51 "I have found an RCE. How do I report it?" Also 
mentions HackerOne bounty.</p>
+  <p align="right">13:19 "Here. Plain text."</p>
+  <p align="left">14:28 "PoC and 30MB mp3"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Summary of report</h3>
+  <p>Enable write in Default Servlet</p>
+  <p>Enable the CORS Filter</p>
+  <p>Windows only</p>
+  <p>PUT a.Jsp</p>
+  <p>DELETE a.Jsp</p>
+  <p>GET a.jsp</p>
+  <p>Repeat a lot until GET a.jsp returns the uploaded file</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>First thoughts</h3>
+  <p>CORS?</p>
+  <p>Tomcat 8 is out of scope</p>
+  <p>Tomcat 11 onwards not affected?</p>
+  <p>Need full configuration details</p>
+  <p>The PoC isn't consistent with the video</p>
+  <p>It isn't clear what is going on here</p>
+  <p>Insecure configuration?</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Monday 21 October 2024</h3>
+  <p align="left">03:38 "MacOS also affected"</p>
+  <p align="right">08:17 "Clarification questions"</p>
+  <p align="right">15:24 "Konstantin finds a TOCTOU issue in the canonical 
file name check"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Wednesday 23 October 2024</h3>
+  <p align="right">14:43 "Confirm RCE. Allocate CVE."</p>
+  <p align="right">"How do we fix this?"</p>
+  <p align="right">"..."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Friday 25 October 2024</h3>
+  <p align="right">"Konstantin suggests File.list()"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Monday 28 October 2024</h3>
+  <p align="left">05:30 "Additional information including a PoC in python"</p>
+  <p align="right">"File.list() is too slow"</p>
+  <p align="right">"..."</p>
+  <p align="right">"Locking"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Tuesday 29 October 2024</h3>
+  <p align="right">Can't reproduce issue with Python PoC</p>
+  <p align="right">But it does highlight cache issues</p>
+  <p align="right">Use the fix for this to mask the CVE fix?</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Wednesday 30 October 2024</h3>
+  <p align="right">Performance numbers for the locking solution</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Monday 4 November 2024</h3>
+  <p align="right">16:07 "Please test this fix."</p>
+  <p align="left">18:09 "It isn't fixed."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Saturday 9 November 2024</h3>
+  <p>Tomcat 9.0.97 released</p>
+  <p>Tomcat 10.1.31 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Sunday 10 November 2024</h3>
+  <p>Tomcat 11.0.2 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Fri 15 November 2024</h3>
+  <p align="right">15:07 "I messed up the locking fix."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Mon 18 November 2024</h3>
+  <p align="right">09:39 "Please re-test."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Tue 19 November 2024</h3>
+  <p align="left">07:22 "Fix confirmed."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Monday 9 December 2024</h3>
+  <p>Tomcat 9.0.98 released</p>
+  <p>Tomcat 10.1.34 released</p>
+  <p>Tomcat 11.0.2 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Tue 17 December 2024</h3>
+  <p align="right">12:26 "Announce CVE-2024-50379"</p>  
+  <p align="left">18:42 "CVE-2024-50379 is not fixed"</p>  
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Wed 18 December 2024</h3>
+  <p align="right">07:28 "Huh? What changed?"</p>
+  <p>Jonathan Gallimore (TomEE) provides a PoC that does reproduce the 
issue</p>
+  <p align="right">19:28 "Does disabling caching have an impact?"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Thursday 19 December 2024</h3>
+  <p align="left">05:29 "Disabling caching has no effect"</p>
+  <p>I am able to reproduce the issue locally</p>
+  <p>Jonathan Gallimore continues to help us test different scenarios</p>
+  <p>Java 17 onwards not affected</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Thursday 19 December 2024</h3>
+  <p align="left">14:25 "Found it. Java has a cache for canonical file 
names"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Friday 20 December 2024</h3>
+  <p align="right">15:17 Announce CVE-2024-56338</p>
+  <p align="right">Use Java system properties to disable the cache</p>
+  <p align="right">Will try and enforce this in a future Tomcat version</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+         data-background-size="contain"
+         data-background-opacity="0.15">
+  <h3>Reflections</h3>
+  <p>Good: The overall process</p>
+  <p>Bad: Ignoring instincts</p>
+  <p>Ugly: Not fixing it the first time</p>
+</section>
\ No newline at end of file
diff --git a/index.html b/presentations/cve-handling-good-bad-ugly.html
similarity index 53%
copy from index.html
copy to presentations/cve-handling-good-bad-ugly.html
index d850dbb..d332d20 100644
--- a/index.html
+++ b/presentations/cve-handling-good-bad-ugly.html
@@ -15,49 +15,39 @@
   limitations under the License.
 -->
 <!doctype html>
-<html lang="en">
+<html>
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0, 
maximum-scale=1.0, user-scalable=no">
 
-    <title>Tomcat Training</title>
+    <title>Tomcat 11 and Jakarta EE</title>
 
-    <link rel="stylesheet" href="dist/reset.css">
-    <link rel="stylesheet" href="dist/reveal.css">
-    <link rel="stylesheet" href="dist/theme/black.css">
+    <link rel="stylesheet" href="../dist/reset.css">
+    <link rel="stylesheet" href="../dist/reveal.css">
+    <link rel="stylesheet" href="../dist/theme/white.css">
 
     <!-- Theme used for syntax highlighted code -->
-    <link rel="stylesheet" href="plugin/highlight/monokai.css">
+    <link rel="stylesheet" href="../plugin/highlight/monokai.css">
+
   </head>
   <body>
     <div class="reveal">
       <div class="slides">
-        <section>
-          <h1>Tomcat presentations</h1>
-        </section>
-        <section>
-          <p>The following presentations are currently available</p>
-          <ul>
-            <li><a href="presentations/tomcat-11-jakarta-ee-11.html">Tomcat 11 
and Jakarta EE 11</a></li>
-            <li><a href="presentations/tomcat-11-preview.html">Tomcat 11 
Preview</a></li>
-          </ul>
-        </section>
-        <section>
-          <h1>Tomcat training</h1>
-        </section>
-        <section>
-          <p>The following training courses are currently available</p>
-          <ul>
-            <li><a href="courses/tomcat-for-administrators.html">Tomcat for 
Administrators</a></li>
-          </ul>
+        <section data-background-image="../images/tomcat.svg"
+                 data-background-size="contain"
+                 data-background-opacity="0.15">
+          <h1>Responding to an RCE report<br/>The good, the bad and the 
ugly</h1>
         </section>
+        <section data-external-replace="../modules/intro-markt.html"> 
</section>
+        <section data-external-replace="../modules/cve-2024-50379.html"> 
</section>
+        <section data-external-replace="../modules/wrap-up-presentation.html"> 
</section>
       </div>
     </div>
 
-    <script src="dist/reveal.js"></script>
-    <script src="plugin/notes/notes.js"></script>
-    <script src="plugin/markdown/markdown.js"></script>
-    <script src="plugin/highlight/highlight.js"></script>
+    <script src="../dist/reveal.js"></script>
+    <script src="../plugin/notes/notes.js"></script>
+    <script src="../plugin/markdown/markdown.js"></script>
+    <script src="../plugin/highlight/highlight.js"></script>
     <script>
       // More info about initialization & config:
       // - https://revealjs.com/initialization/
@@ -66,8 +56,13 @@
         hash: true,
 
         // Learn about plugins: https://revealjs.com/plugins/
-        plugins: [ RevealMarkdown, RevealHighlight, RevealNotes ]
-      });
+        plugins: [ RevealMarkdown, RevealHighlight, RevealNotes ],
+        
+        width: 1200,
+        dependencies: [
+          // reveal_external to allow composition from multiple files
+          { src: '../plugin/external/external.js', condition: function() { 
return !!document.querySelector( '[data-external],[data-external-replace]' ); } 
}
+        ]      });
     </script>
   </body>
 </html>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to