Revision 1601333 - Fix for CVE-2014-0227

2015-02-13 Thread Amarendra Godbole 
Hello,

This is my first post, and thank you the Apache team for bring us
Tomcat. Your hard work is greatly appreciated!

I have a query about the fix for request smuggling issue
(CVE-2014-0227) -- when I inspected revision 1601333, I fail to
understand what the fix is, since all the patch seems to do is some
i18n cleanup, and add a boolean variable "error". Or did I miss
something?

Thanks.

-Amarendra

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence

2020-05-27 Thread amarendra godbole 
s/PersistenceManager/PersistentManager/g

Is that a typo?

Thanks.

-ag

On Wed, May 20, 2020 at 8:19 AM Mark Thomas  wrote:
>
> CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
>
> Severity: High
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M4
> Apache Tomcat 9.0.0.M1 to 9.0.34
> Apache Tomcat 8.5.0 to 8.5.54
> Apache Tomcat 7.0.0 to 7.0.103
>
> Description:
> If:
> a) an attacker is able to control the contents and name of a file on the
>server; and
> b) the server is configured to use the PersistenceManager with a
>FileStore; and
> c) the PersistenceManager is configured with
>sessionAttributeValueClassNameFilter="null" (the default unless a
>SecurityManager is used) or a sufficiently lax filter to allow the
>attacker provided object to be deserialized; and
> d) the attacker knows the relative file path from the storage location
>used by FileStore to the file the attacker has control over;
> then, using a specifically crafted request, the attacker will be able to
> trigger remote code execution via deserialization of the file under
> their control. Note that all of conditions a) to d) must be true for the
> attack to succeed.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M5 or later
> - Upgrade to Apache Tomcat 9.0.35 or later
> - Upgrade to Apache Tomcat 8.5.55 or later
> - Upgrade to Apache Tomcat 7.0.104 or later
> Alternatively, users may configure the PersistenceManager with an
> appropriate value for sessionAttributeValueClassNameFilter to ensure
> that only application provided attributes are serialized and deserialized.
>
> Credit:
> This issue was discovered and reported responsibly to the Apache Tomcat
> Security Team by report by jarvis threedr3am of pdd security research
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
> [4] http://tomcat.apache.org/security-7.html
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service

2024-09-27 Thread Amarendra Godbole 
On Mon, Sep 23, 2024 at 5:54 AM Mark Thomas  wrote:
>
> CVE-2024-38286 Apache Tomcat - Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 11.0.0-M1 to 11.0.0-M20
> Apache Tomcat 10.1.0-M1 to 10.1.24
> Apache Tomcat 9.0.13 to 9.0.89
>
> Description:
> Tomcat, under certain configurations on any platform, allows an attacker
> to cause an OutOfMemoryError by abusing the TLS handshake process.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 11.0.0-M21 or later
> - Upgrade to Apache Tomcat 10.1.25 or later
> - Upgrade to Apache Tomcat 9.0.90 or later
>
> Credit:
> This vulnerability was reported responsibly to the Tomcat security team
> by Ozaki, North Grid Corporation
>
> History:
> 2024-07-03 Original advisory
[...]

Based on the commit [1], is it safe to assume the issue only impacts
when TLS 1.3 is being used?

Thanks.

-Amarendra

[1] 
https://github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org