Skip to main content
U
uhururuto12
Participant
May 19, 2023
Question

The version of Tomcat installed on the remote host is prior to 9.0.71.

  • May 19, 2023
  • 1 reply
  • 376 views

The version of Tomcat installed on the remote host is prior to 9.0.71. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.71_security-9 advisory.

- Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
(CVE-2023-24998)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

 

How does one remediate the above?

    This topic has been closed for replies.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    May 19, 2023

    One must wait for Adobe to release an update to cf that embeds the updated tomcat.

     

    You don't say what cf version you're on. If cf2021 we can expect such an update--but no telling when. They've gone over a year between applying needed tomcat updates. If you're on cf2018, such an update would need to come out before July, when its support/updates end. 

    /Charlie (troubleshooter, carehart. org)
    U
    uhururuto12Author
    Participant
    May 19, 2023

    So I went ahead and blocked port 8500 on the local firewall of the device both inbound and outbound. This remediated the issue. I told the users to use server to access the CF admin page. 

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    May 19, 2023

    Use the server? You mean access that 8500 port only from the server itself? Well, sure. Locking that down to be accessed only from the server itself is an option. But the port would have been blocked by most any firewall by default, since it's a non-standard port, at least from outside the network. 

     

    If you're saying the security scan doesn't run from the server but is within the network, that will stop it detecting the vulnerability. It's still there, but "less" exposed. By the same token, it was almost certainly not exposed outside the network. 

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices