ePolicy Orchestrator Sustaining Statement (SSC1803193) - Tomcat vulnerability CVE-2018-1304 and CVE-2018-1305 (low risk)
Last Modified: 2023-07-21 11:16:28 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
ePolicy Orchestrator Sustaining Statement (SSC1803193) - Tomcat vulnerability CVE-2018-1304 and CVE-2018-1305 (low risk)
Technical Articles ID:
KB90360
Last Modified: 2023-07-21 11:16:28 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.x
Summary
This document describes the support position of Sustaining Engineering relative to a Trellix application. Overview This document addresses concerns about ePO and the Tomcat vulnerabilities. This report reflects questions about CVE-2018-1304 and CVE-2018-1305, referenced in the Tomcat Security Advisory. Review additional information at the National Vulnerability Database. Description CVE-2018-1304: The URL pattern of "" (the empty string), which exactly maps to the context root, isn't correctly handled when used as part of a security constraint definition, causing the constraint to be ignored. It's possible for unauthorized users to gain access to web application resources that would otherwise be protected under this condition. Only security constraints with a URL pattern of the empty string are affected. CVE-2018-1305: Security constraints defined by annotations of Servlets are only applied after a Servlet has been loaded. Security constraints defined in this way apply to the URL pattern and any URLs below. Depending on the order Servlets are loaded, it's possible for some security constraints to not be applied. Users who aren't authorized to access them might have access to resources that they shouldn't have access to. Research and Conclusions The ePO Engineering team has researched these vulnerabilities and determined that it can affect ePO minimally and is a low-risk issue. Based on our usage, the CVSS scores determined for both these CVEs are very low—2.6/2.3 (Base/Temporal score). Resolution for these issues is planned in the next available ePO patch release (5.10). Disclaimer Any future product release dates mentioned in this statement are intended to outline our general product direction and shouldn't be relied on in making a purchasing decision:
Affected ProductsLanguages:This article is available in the following languages: |
|