Edit Page
 Index > 2007 > 10 > 18 > Potential vulnerability in Apache Tomcat Webdav servlet User List | Dev List | Wiki | Issue Tracker  
  Overview
Home
Documentation
Downloads
News Archive
Project Management
License
Privacy Policy
ASF
  Search
Powered by Google Search
  Community
Events
Get Involved
Committers
Mailing Lists
Discussion Forums
Blog
IRC
FAQ
Wiki
Found a Bug?
Security Reports
Service and Support
ASF Sponsorship
ASF Thanks!
  Development
Javadoc
XML Schemas
Source Code
Coding Standards
Issue Tracker
Related Projects
Release Roadmaps
  Subprojects
Development Tools
Sample Applications
GBuild
GShell
XBean
Yoko
Java EE Specs
Components
Plugins
RSS News
RSS Site Changes
ATOM User Mailing List
ATOM Developer Mailing List

2007-10-18

We have learned of a security vulnerability in the Apache Tomcat Webdav Servlet implementation. If you use the Tomcat distribution of Geronimo and configure a write-enabled Webdav servlet, you may be affected by this vulnerability. If you do not configure the Webdav servlet or configure read-only Webdav servlets, you are not impacted by this vulnerability. Jetty configurations of Geronimo are not affected by this vulnerability.

This vulnerability impacts all Geronimo releases. Up to and including Geronimo 2.0.2. Read the full article for further details and workaround.

For specific information regarding the Tomcat issue, see http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3c47135C2D.1000705@apache.org%3e

By default, Geronimo releases do not use the Webdav servlet. However, it is possible for the Webdav Servlet to be configured or referenced by a user-written application.

The Webdav Servlet could be explicitly configured in a web.xml deployment descriptor as follows:

Alternatively, a user's application could extend the WebdavServlet, for example:

If you configure a write-enabled Webdav servlet, we recommend that you:

  • Disable write access to the Webdav Servlet until this problem has been fixed, or
  • Limit access to the Webdav servlet to only trusted users.

This vulnerability will be fixed in the next release of Geronimo (2.0.3 and/or 2.1).