ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is Release Automation affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?


Article ID: 14803


Updated On:


CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)


Security vulnerability: CVE-2017-5664 was reported. Apache Tomcat project was resolved on latest build, but Release Automation (RA) doesn't bundle latest tomcat version.

Is Release Automation 6.x affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?


Release: NOLNAC99000-6.1-Nolio-Automation Center


Basically, Not affected.

The condition of this security vulnerability is to set "readonly" property = false under "DefaultServlet" class in CATALINA_HOME/conf/web.xml. If "readonly" is not set, the value is "true" by default. RA installer is not set "readonly" property, so it is not affected by this vulnerability despite RA doesn't use latest tomcat build.

Please check if your web.xml is modified on purpose manually.