Vulnerabilities - Apache and Tomcat
I am getting 5 vulnerabilities identified by our security scanner. We are running 2017.1.2 Build 46812:
Apache Tomcat 'MultipartStream' Class Denial of Service Vulnerability (Windows)
Apache Tomcat HTTP Request Line Information Disclosure Vulnerability (Windows)
Apache Tomcat 'pipelined' Requests Information Disclosure Vulnerability (Windows)
Apache Tomcat 'SecurityManager' Information Disclosure Vulnerability (Windows)
Apache Tomcat Security Bypass Vulnerability (Windows)
The resolution is pretty much the same for all: Installed version: 7.0.68 Fixed version: 7.0.78
Affected Software/OS:
Apache Tomcat 9.0.0.M1 to 9.0.0.M20,
Apache Tomcat 8.5.0 to 8.5.14,
Apache Tomcat 8.0.0.RC1 to 8.0.43 and
Apache Tomcat 7.0.0 to 7.0.77 on Windows
Solution:
Upgrade to version 9.0.0.M21, or 8.5.15,
or 8.0.44, or 7.0.78 or later. For updates refer to
http://tomcat.apache.org
Please sign in to leave a comment.
Hi and thanks for your report.
We have already updated Tomcat to 8.5.16 (which should not be impacted) for our EAP for version 2017.2, already available here: https://confluence.jetbrains.com/pages/viewpage.action?pageId=22542. This will at least be the version for 2017.2, and I've added an internal issue in our tracker referencing this post to evaluate upgrading the tomcat version within the bugfix 2017.1.3 release
We also provide teamcity as a WAR file available to deploy on your own server, which, although usually not recommended, can help prevent this kind of issues if they are a major concern for your installation.
Hope this helps.