[HN Gopher] CVE-2021-24122 Apache Tomcat Information Disclosure
___________________________________________________________________
CVE-2021-24122 Apache Tomcat Information Disclosure
Author : based2
Score : 38 points
Date : 2021-01-15 18:36 UTC (4 hours ago)
(HTM) web link (mail-archives.apache.org)
(TXT) w3m dump (mail-archives.apache.org)
| emergie wrote:
| Windows OS as a production environment for any Tomcat webapp
| seems very unlikely.
| skinkestek wrote:
| Saw some really ugly ness with a large company as late as 2019:
|
| The company is trying to move to the cloud they think.
|
| What they don't know is they have servers like this, running on
| internet facing machines, and the http servers are missing two
| years of patches!
|
| All hanging by the thin thread of ip filtering using a geo ip
| database (that is also outdated) etc.
|
| Yep: management and IT want Windows because maintainability,
| that particular dev wanted Apache server so Apache server on
| Windows it was.
| pmahoney wrote:
| Note that Apache Tomcat is an implementation of Java
| Servlets, not to be confused with Apache httpd, the venerable
| web server.
| discreditable wrote:
| More common than you think. PowerSchool is a major Student Info
| System. Tomcat on Windows.
| Turbots wrote:
| I have So Many customers running Spring Boot Apps on embedded
| tomcat on Windows server.
| davidgerard wrote:
| _should_ be very unlikely. Unfortunately, there 's a lot of
| this sort of thing. It's especially popular with enterprise
| software, which will often be a Windows exe or msi that wraps
| Tomcat and a Java app.
| technion wrote:
| A quick look around and I see McAfee EPO and microstrategy
| running this configuration in one organisation. Seems common
| across my customers.
| sdwvit wrote:
| Are you allowed by NDA to share such info?
| pjmlp wrote:
| You would be surprised how many Microsoft shops among F500 do
| it all the time.
|
| Here is another one, WebSphere on Windows.
| varikin wrote:
| In the late 2000s, I worked for an enterprise software company.
| Turns out many smaller customers that needed our software were
| Windows based and ran our Tomcat based software on Windows
| servers. The larger companies that had dedicated Unix clusters
| for our software and other things.
|
| In the world of SaaS, this becomes less of a thing, but there
| are still a lot non-tech small businesses that start with
| Windows based IT solutions because they want Office & Outlook.
| Then they find some domain specific thing that they want to
| host and since they know windows, it runs on a Windows server.
| millerm wrote:
| Somebody had better call Equifax directly this time and let them
| know. Yes, I know it was Struts last time, but...
| java-man wrote:
| Any details? Is this an Apache vulnerability or a JRE one?
| farnulfo wrote:
| Commits:
| https://github.com/apache/tomcat/commit/800b03140e640f8892f2...
|
| Source:
| https://tomcat.apache.org/security-7.html#Fixed_in_Apache_To...
| java-man wrote:
| Thank you!
| spullara wrote:
| It looks like they are using getCanonicalPath to ensure that
| the file is under the serving root but there is some behavior
| that confused the Tomcat code. I can imagine this bug could
| manifest in other software that depends on this behavior on
| Windows.
| hangonhn wrote:
| According to the CVE, the root cause is unexpected behavior in
| the JRE caused by inconsistent behavior in the Windows API.
| Thaxll wrote:
| How many CVE exists because of path, symlinks etc ...
___________________________________________________________________
(page generated 2021-01-15 23:01 UTC)