Is Release Automation affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?

Document ID : KB000014803
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Security vulnerability: CVE-2017-5664 was reported. Apache Tomcat project was resolved on latest build, but Release Automation (RA) doesn't bundle latest tomcat version.

Question:

Is Release Automation 6.x affected by CVE-2017-5664: Apache Tomcat Security Constraint Bypass?

Answer:

Basically, Not affected.

The condition of this security vulnerability is to set "readonly" property = false under "DefaultServlet" class in CATALINA_HOME/conf/web.xml. If "readonly" is not set, the value is "true" by default. RA installer is not set "readonly" property, so it is not affected by this vulnerability despite RA doesn't use latest tomcat build.

Please check if your web.xml is modified on purpose manually.