Overview
Customers indicate that the Apache Tomcat Restriction Bypass Vulnerability in Default Servlet CVE-2018-11784 impacts Jive 9.0.3. This article shares information about this issue and possible solutions for mitigating or fixing it.
Environment
- Jive Interactive Intranet-Jive Core-9.0.3
- Apache Tomcat 8.0.x
Information
Jive does not explicitly have these attributes set to true:
mapperDirectoryRedirectEnabled="true"
mapperContextRootRedirectEnabled="true"
According to the Tomcat documentation, if the above attributes are not specified, then the default values are as follows:
mapperDirectoryRedirectEnabled="false"
mapperContextRootRedirectEnabled="true"
This means that there is a good chance the mapperDirectoryRedirectEnabled
is using the default Servlet and affecting the instance.
Solution
Here are possible mitigations of this issue:
- Set both the attributes to
true
. - Upgrade Jive HOP Tomcat to the latest 8.5.x or 9.0.7 version since Tomcat 8.0.x is EOL (end-of-life) and will not be receiving any security updates.
For a complete resolution update to Jive 9.0.7 or a later release.
Comments
0 comments
Article is closed for comments.