Customers indicate that the Apache Tomcat Restriction Bypass Vulnerability in Default Servlet CVE-2018-11784 impacts Jive 9.0.3. This article shares information about this issue and possible solutions for mitigating or fixing it.
- Jive Interactive Intranet-Jive Core-9.0.3
- Apache Tomcat 8.0.x
Jive does not explicitly have these attributes set to true:
According to the Tomcat documentation, if the above attributes are not specified, then the default values are as follows:
This means that there is a good chance the
mapperDirectoryRedirectEnabled is using the default Servlet and affecting the instance.
Here are possible mitigations of this issue:
- Set both the attributes to
- Upgrade Jive HOP Tomcat to the latest 8.5.x or 9.0.7 version since Tomcat 8.0.x is EOL (end-of-life) and will not be receiving any security updates.
For a complete resolution update to Jive 9.0.7 or a later release.