This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-training.git
The following commit(s) were added to refs/heads/main by this push:
new ec1eae8 Add presentation based on CVe-2024-50379
ec1eae8 is described below
commit ec1eae8490d3cc7926ae75446ddfbcb1821ad329
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Feb 11 16:03:57 2025 +0000
Add presentation based on CVe-2024-50379
---
index.html | 1 +
modules/cve-2024-50379.html | 212 +++++++++++++++++++++
.../cve-handling-good-bad-ugly.html | 55 +++---
3 files changed, 238 insertions(+), 30 deletions(-)
diff --git a/index.html b/index.html
index d850dbb..a76fa48 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,7 @@
<ul>
<li><a href="presentations/tomcat-11-jakarta-ee-11.html">Tomcat 11
and Jakarta EE 11</a></li>
<li><a href="presentations/tomcat-11-preview.html">Tomcat 11
Preview</a></li>
+ <li><a href="presentations/cve-handling-good-bad-ugly.html">CVE
handling - the good, the bad & the ugly</a></li>
</ul>
</section>
<section>
diff --git a/modules/cve-2024-50379.html b/modules/cve-2024-50379.html
new file mode 100644
index 0000000..f38b7d1
--- /dev/null
+++ b/modules/cve-2024-50379.html
@@ -0,0 +1,212 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Agenda</h3>
+ <p>Background</p>
+ <p>CVE-2024-50379<p>
+ <p>CVE-2024-56337</p>
+ <p>Reflections</p>
+ <p>Questions</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Background</h3>
+ <p>URLs are case sensitive</p>
+ <p>URLs are very often mapped to file systems</p>
+ <p>Windows and MacOS file systems are (usually) case insensitive</p>
+ <p>Need to be able to differentiate between a request for a.Jsp and a.jsp</p>
+ <p>File.getCanonicalPath()</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Note</h3>
+ <p>Summaries of the much longer emails</p>
+ <p>Some emails have been skipped</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Friday 18 October 2024</h3>
+ <p align="left">10:51 "I have found an RCE. How do I report it?" Also
mentions HackerOne bounty.</p>
+ <p align="right">13:19 "Here. Plain text."</p>
+ <p align="left">14:28 "PoC and 30MB mp3"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Summary of report</h3>
+ <p>Enable write in Default Servlet</p>
+ <p>Enable the CORS Filter</p>
+ <p>Windows only</p>
+ <p>PUT a.Jsp</p>
+ <p>DELETE a.Jsp</p>
+ <p>GET a.jsp</p>
+ <p>Repeat a lot until GET a.jsp returns the uploaded file</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>First thoughts</h3>
+ <p>CORS?</p>
+ <p>Tomcat 8 is out of scope</p>
+ <p>Tomcat 11 onwards not affected?</p>
+ <p>Need full configuration details</p>
+ <p>The PoC isn't consistent with the video</p>
+ <p>It isn't clear what is going on here</p>
+ <p>Insecure configuration?</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Monday 21 October 2024</h3>
+ <p align="left">03:38 "MacOS also affected"</p>
+ <p align="right">08:17 "Clarification questions"</p>
+ <p align="right">15:24 "Konstantin finds a TOCTOU issue in the canonical
file name check"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Wednesday 23 October 2024</h3>
+ <p align="right">14:43 "Confirm RCE. Allocate CVE."</p>
+ <p align="right">"How do we fix this?"</p>
+ <p align="right">"..."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Friday 25 October 2024</h3>
+ <p align="right">"Konstantin suggests File.list()"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Monday 28 October 2024</h3>
+ <p align="left">05:30 "Additional information including a PoC in python"</p>
+ <p align="right">"File.list() is too slow"</p>
+ <p align="right">"..."</p>
+ <p align="right">"Locking"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Tuesday 29 October 2024</h3>
+ <p align="right">Can't reproduce issue with Python PoC</p>
+ <p align="right">But it does highlight cache issues</p>
+ <p align="right">Use the fix for this to mask the CVE fix?</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Wednesday 30 October 2024</h3>
+ <p align="right">Performance numbers for the locking solution</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Monday 4 November 2024</h3>
+ <p align="right">16:07 "Please test this fix."</p>
+ <p align="left">18:09 "It isn't fixed."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Saturday 9 November 2024</h3>
+ <p>Tomcat 9.0.97 released</p>
+ <p>Tomcat 10.1.31 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Sunday 10 November 2024</h3>
+ <p>Tomcat 11.0.2 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Fri 15 November 2024</h3>
+ <p align="right">15:07 "I messed up the locking fix."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Mon 18 November 2024</h3>
+ <p align="right">09:39 "Please re-test."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Tue 19 November 2024</h3>
+ <p align="left">07:22 "Fix confirmed."</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Monday 9 December 2024</h3>
+ <p>Tomcat 9.0.98 released</p>
+ <p>Tomcat 10.1.34 released</p>
+ <p>Tomcat 11.0.2 released</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Tue 17 December 2024</h3>
+ <p align="right">12:26 "Announce CVE-2024-50379"</p>
+ <p align="left">18:42 "CVE-2024-50379 is not fixed"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Wed 18 December 2024</h3>
+ <p align="right">07:28 "Huh? What changed?"</p>
+ <p>Jonathan Gallimore (TomEE) provides a PoC that does reproduce the
issue</p>
+ <p align="right">19:28 "Does disabling caching have an impact?"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Thursday 19 December 2024</h3>
+ <p align="left">05:29 "Disabling caching has no effect"</p>
+ <p>I am able to reproduce the issue locally</p>
+ <p>Jonathan Gallimore continues to help us test different scenarios</p>
+ <p>Java 17 onwards not affected</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Thursday 19 December 2024</h3>
+ <p align="left">14:25 "Found it. Java has a cache for canonical file
names"</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Friday 20 December 2024</h3>
+ <p align="right">15:17 Announce CVE-2024-56338</p>
+ <p align="right">Use Java system properties to disable the cache</p>
+ <p align="right">Will try and enforce this in a future Tomcat version</p>
+</section>
+<section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h3>Reflections</h3>
+ <p>Good: The overall process</p>
+ <p>Bad: Ignoring instincts</p>
+ <p>Ugly: Not fixing it the first time</p>
+</section>
\ No newline at end of file
diff --git a/index.html b/presentations/cve-handling-good-bad-ugly.html
similarity index 53%
copy from index.html
copy to presentations/cve-handling-good-bad-ugly.html
index d850dbb..d332d20 100644
--- a/index.html
+++ b/presentations/cve-handling-good-bad-ugly.html
@@ -15,49 +15,39 @@
limitations under the License.
-->
<!doctype html>
-<html lang="en">
+<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0,
maximum-scale=1.0, user-scalable=no">
- <title>Tomcat Training</title>
+ <title>Tomcat 11 and Jakarta EE</title>
- <link rel="stylesheet" href="dist/reset.css">
- <link rel="stylesheet" href="dist/reveal.css">
- <link rel="stylesheet" href="dist/theme/black.css">
+ <link rel="stylesheet" href="../dist/reset.css">
+ <link rel="stylesheet" href="../dist/reveal.css">
+ <link rel="stylesheet" href="../dist/theme/white.css">
<!-- Theme used for syntax highlighted code -->
- <link rel="stylesheet" href="plugin/highlight/monokai.css">
+ <link rel="stylesheet" href="../plugin/highlight/monokai.css">
+
</head>
<body>
<div class="reveal">
<div class="slides">
- <section>
- <h1>Tomcat presentations</h1>
- </section>
- <section>
- <p>The following presentations are currently available</p>
- <ul>
- <li><a href="presentations/tomcat-11-jakarta-ee-11.html">Tomcat 11
and Jakarta EE 11</a></li>
- <li><a href="presentations/tomcat-11-preview.html">Tomcat 11
Preview</a></li>
- </ul>
- </section>
- <section>
- <h1>Tomcat training</h1>
- </section>
- <section>
- <p>The following training courses are currently available</p>
- <ul>
- <li><a href="courses/tomcat-for-administrators.html">Tomcat for
Administrators</a></li>
- </ul>
+ <section data-background-image="../images/tomcat.svg"
+ data-background-size="contain"
+ data-background-opacity="0.15">
+ <h1>Responding to an RCE report<br/>The good, the bad and the
ugly</h1>
</section>
+ <section data-external-replace="../modules/intro-markt.html">
</section>
+ <section data-external-replace="../modules/cve-2024-50379.html">
</section>
+ <section data-external-replace="../modules/wrap-up-presentation.html">
</section>
</div>
</div>
- <script src="dist/reveal.js"></script>
- <script src="plugin/notes/notes.js"></script>
- <script src="plugin/markdown/markdown.js"></script>
- <script src="plugin/highlight/highlight.js"></script>
+ <script src="../dist/reveal.js"></script>
+ <script src="../plugin/notes/notes.js"></script>
+ <script src="../plugin/markdown/markdown.js"></script>
+ <script src="../plugin/highlight/highlight.js"></script>
<script>
// More info about initialization & config:
// - https://revealjs.com/initialization/
@@ -66,8 +56,13 @@
hash: true,
// Learn about plugins: https://revealjs.com/plugins/
- plugins: [ RevealMarkdown, RevealHighlight, RevealNotes ]
- });
+ plugins: [ RevealMarkdown, RevealHighlight, RevealNotes ],
+
+ width: 1200,
+ dependencies: [
+ // reveal_external to allow composition from multiple files
+ { src: '../plugin/external/external.js', condition: function() {
return !!document.querySelector( '[data-external],[data-external-replace]' ); }
}
+ ] });
</script>
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
