Support Questions
Find answers, ask questions, and share your expertise

tomcat security vulnerability CVE-2017-12615


Customer found the tomcat security vulnerability CVE-2017-12615 on the third node of CDH 5.15 cluster .


How to fix this CVE-2017-12615 issue?



This flaw affects Tomcat on oracle Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected. Ensure that readonly is set to true (by default, it is true even not mentioned in web.xml) for the DefaultServlet, WebDAV servlet or application context. Example – Depending upon what version you are, there are many web.xml for each service. [root@labUSbda07 ~]# vi /opt/cloudera/parcels/CDH-5.10.0-1.cdh5.10.0.p0.41/etc/oozie/tomcat-conf.http/conf/web.xml [root@labUSbda07 ~]# vi /opt/cloudera/parcels/CDH-5.13.1-1.cdh5.13.1.p0.2/etc/oozie/tomcat-conf.http/conf/web.xml more /opt/cloudera/parcels/CDH-5.13.1-1.cdh5.13.1.p0.2/etc/oozie/tomcat-conf.http/conf/web.xml Servlet content on my Lab server





















default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 Readonly parameter’s default value is picked here

; ;