Is Release Automation affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?

book

Article ID: 14803

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

Security vulnerability: CVE-2017-5664 was reported. Apache Tomcat project was resolved on latest build, but Release Automation (RA) doesn't bundle latest tomcat version.



Is Release Automation 6.x affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?

Environment

Release: NOLNAC99000-6.1-Nolio-Automation Center
Component:

Resolution

Basically, Not affected.

The condition of this security vulnerability is to set "readonly" property = false under "DefaultServlet" class in CATALINA_HOME/conf/web.xml. If "readonly" is not set, the value is "true" by default. RA installer is not set "readonly" property, so it is not affected by this vulnerability despite RA doesn't use latest tomcat build.

Please check if your web.xml is modified on purpose manually.