Bug 64009 - Embedded Tomcat has insecure default by activating JspServlet without opt-in
Summary: Embedded Tomcat has insecure default by activating JspServlet without opt-in
Status: RESOLVED DUPLICATE of bug 64008
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.50
Hardware: PC Windows NT
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2019-12-17 10:10 UTC by emergency.shower
Modified: 2019-12-17 10:48 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description emergency.shower 2019-12-17 10:10:42 UTC
By default, and under certain circumstances (see https://bz.apache.org/bugzilla/show_bug.cgi?id=64008), embedded Tomcat automatically adds the JspServlet and servlet mappings for it to web apps.

From a security point of view this behaviour leads to an increased vulnerability surface without user opt-in. It should therefore probably be avoided.

Currently we are using a patched version of embedded Tomcat that does not inject the JspServlet programmatically, but this does not seem to be a good long-term perspective.
Comment 1 Remy Maucherat 2019-12-17 10:16:08 UTC

*** This bug has been marked as a duplicate of bug 64008 ***
Comment 2 emergency.shower 2019-12-17 10:29:54 UTC
I don't think that this is a duplicate of 64008.

This issue is about insecure defaults. 64008 is about how difficult (if not impossible) it is to prevent from having these insecure defaults applied.
Comment 3 Remy Maucherat 2019-12-17 10:48:37 UTC
Please use the appropriate mailing list for discussion: security for security related discussions, user for details and investigation on how to use Tomcat.