This week's book giveaway is in the Agile and Other Processes forum. We're giving away four copies of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java and have Dr. Raoul-Gabriel Urma & Richard Warburton on-line! See this thread for details.
I was listening to Security Now this morning and there was a story about a vulnerability with Tomcat versions 7.X through 9.X.
You can see/hear the story here:
The issue is related to the AJP interface on TCP port 8009, and is described in CVE-2020-1938. While I was listening, I thought that the it was probably being overstated because it would be unlikely that anyone would have Tomcat directly exposed to the Internet, but later I wondered if it could be an issue in deployments where Tomcat was fronted by reverse-proxy using AJP such as the Apache HTTPd + mod_proxy_ajp.
While I'm not totally clear, it sounds like you could upload a JSP via the AJP connector and if the webapp designer were idiot enough to store uploaded files within the WAR that the uploaded JSP could then be executed as though it was a legitimate part of the WAR application.
It does sound like Apache could be used for exploitation from remote sources in such cases.
But I've told people for years never to upload or write files into a WAR. Even absent the security risks, it doesn't work unless the WAR has been exploded (which, alas, is Tomcat's default), and potentially valuable files can get lost by a simple software upgrade.
I would definitely upgrade, but again, no well-designed webapp should be storing data of any kind within the WAR directory, or for that matter within any directory that's part of the Tomcat server.
Got idle CPU cycles? Join the war on COVID-19 by donating them to find the coronavirus' weak spots. folding@home Runs in the background. https://foldingathome.org
I'm THIS CLOSE to ruling the world! Right after reading this tiny ad: