Apache Tomcat Restriction Bypass Vulnerability in Default Servlet CVE-2018-11784 Is Impacting Jive 9.0.3

Overview

Customers indicate that the Apache Tomcat Restriction Bypass Vulnerability in Default Servlet CVE-2018-11784 impacts Jive 9.0.3. This article shares information about this issue and possible solutions for mitigating or fixing it.

Environment

Jive Interactive Intranet-Jive Core-9.0.3
Apache Tomcat 8.0.x

Back to top

Information

Jive does not explicitly have these attributes set to true:

mapperDirectoryRedirectEnabled="true" mapperContextRootRedirectEnabled="true"

According to the Tomcat documentation, if the above attributes are not specified, then the default values are as follows:

mapperDirectoryRedirectEnabled="false" mapperContextRootRedirectEnabled="true"

This means that there is a good chance the mapperDirectoryRedirectEnabled is using the default Servlet and affecting the instance.

Solution

Here are possible mitigations of this issue:

Set both the attributes to true.
Upgrade Jive HOP Tomcat to the latest 8.5.x or 9.0.7 version since Tomcat 8.0.x is EOL (end-of-life) and will not be receiving any security updates.

For a complete resolution update to Jive 9.0.7 or a later release.

Back to top

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted

Comments

Please sign in to comment