Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
CVE-2021-24122 Apache Tomcat Information Disclosure (apache.org)
52 points by based2 on Jan 15, 2021 | hide | past | favorite | 18 comments


Somebody had better call Equifax directly this time and let them know. Yes, I know it was Struts last time, but...


How many CVE exists because of path, symlinks etc ...


Windows OS as a production environment for any Tomcat webapp seems very unlikely.


You would be surprised how many Microsoft shops among F500 do it all the time.

Here is another one, WebSphere on Windows.


In the late 2000s, I worked for an enterprise software company. Turns out many smaller customers that needed our software were Windows based and ran our Tomcat based software on Windows servers. The larger companies that had dedicated Unix clusters for our software and other things.

In the world of SaaS, this becomes less of a thing, but there are still a lot non-tech small businesses that start with Windows based IT solutions because they want Office & Outlook. Then they find some domain specific thing that they want to host and since they know windows, it runs on a Windows server.


Totally normal in enterprise environments. "We only have Windows, you'll run it on Windows."


should be very unlikely. Unfortunately, there's a lot of this sort of thing. It's especially popular with enterprise software, which will often be a Windows exe or msi that wraps Tomcat and a Java app.


Saw some really ugly ness with a large company as late as 2019:

The company is trying to move to the cloud they think.

What they don't know is they have servers like this, running on internet facing machines, and the http servers are missing two years of patches!

All hanging by the thin thread of ip filtering using a geo ip database (that is also outdated) etc.

Yep: management and IT want Windows because maintainability, that particular dev wanted Apache server so Apache server on Windows it was.


Note that Apache Tomcat is an implementation of Java Servlets, not to be confused with Apache httpd, the venerable web server.


A quick look around and I see McAfee EPO and microstrategy running this configuration in one organisation. Seems common across my customers.


More common than you think. PowerSchool is a major Student Info System. Tomcat on Windows.


I have So Many customers running Spring Boot Apps on embedded tomcat on Windows server.


Any details? Is this an Apache vulnerability or a JRE one?


Commits: https://github.com/apache/tomcat/commit/800b03140e640f8892f2...

Source: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_To...


Thanks, so looks like this was all about the ":" character producing unexpected behavior.


Thank you!


According to the CVE, the root cause is unexpected behavior in the JRE caused by inconsistent behavior in the Windows API.


It looks like they are using getCanonicalPath to ensure that the file is under the serving root but there is some behavior that confused the Tomcat code. I can imagine this bug could manifest in other software that depends on this behavior on Windows.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: