Reply
Explorer
Posts: 20
Registered: ‎12-07-2018

tomcat security vulnerability CVE-2017-12615

Customer found the tomcat security vulnerability CVE-2017-12615 on the third node of CDH 5.15 cluster .

 

How to fix this CVE-2017-12615 issue?

Explorer
Posts: 20
Registered: ‎12-07-2018

Re: tomcat security vulnerability CVE-2017-12615

This flaw affects Tomcat on oracle Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected. Ensure that readonly is set to true (by default, it is true even not mentioned in web.xml) for the DefaultServlet, WebDAV servlet or application context. Example – Depending upon what version you are, there are many web.xml for each service. [root@labUSbda07 ~]# vi /opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/etc/oozie/tomcat-conf.http/conf/web.xml [root@labUSbda07 ~]# vi /opt/cloudera/parcels/CDH-5.13.1-1.cdh5.13.1.p0.2/etc/oozie/tomcat-conf.http/conf/web.xml more /opt/cloudera/parcels/CDH-5.13.1-1.cdh5.13.1.p0.2/etc/oozie/tomcat-conf.http/conf/web.xml Servlet content on my Lab server

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 Readonly parameter’s default value is picked here