Introduction
The Apache Tomcat® Security Team reviews reported vulnerabilities against the following security model:
Administrative users
Administrative users are always considered to be trusted. Reports for vulnerabilities where an attacker already has access to or control over any of the following will be rejected:
- Tomcat binaries and/or scripts.
- Tomcat configuration files.
- Tomcat log files.
- The temp directory (by default
$CATALINA_BASE/temp
) - Web application working directories (by default
$CATALINA_BASE/work
) - The Manager or Host Manager web applications provided with Tomcat.
- The JMX API (local or remote).
- The Java Attach API or any other debugging interface.
Reports for vulnerabilities where an attacker tricks an administrative user into performing an action the administrator did not intend to perform (e.g. CSRF vulnerabilities) will be accepted.
Web applications
Web applications deployed to Tomcat are considered to be trusted. Vulnerabilities in user-provided web applications are application vulnerabilities, not Tomcat vulnerabilities.
Web applications that enable functionality that allows the modification of the web application (e.g. WebDAV, HTTP PUT requests or similar) are expected to take steps to secure that functionality. Failure to do so is an application vulnerability, not a Tomcat vulnerability.
Reports of vulnerabilities in the web applications included with standard Tomcat distributions from the ASF will be accepted. Reporters should review the comments about each of the provided applications in the Security Considerations section of the documentation for the version under test.
Connectors
Data received via a Connector, regardless of protocol, is considered to be untrusted with the exception of:
- The standard request attributes and any arbitrary request attributes
permitted by
allowedRequestAttributesPattern
for an AJP connector. - HTTP headers processed by a
RemoteIpValve
,SSLValve
, equivalent filters (RemoteIpFilter
) or any similar functionality.
All clients (including reverse proxies) are responsible for the consequences of the data they present to Tomcat. If a client presents a (potentially malformed) request that Tomcat processes as per the specification for the configured protocol, then any security impact to the client is the client's responsibility.
Clustering
Cluster traffic requires a trusted network unless the
EncryptInterceptor
is used in which case confidentiality
and integrity will be protected but not availability.
Multicast cluster membership always requires a trusted network.
Logging
Security-sensitive information will not be logged with the default configuration apart from anything included in the request URI.
Security-sensitive information may be logged with modified logging configurations, particularly if debug logging is enabled.
The default logs are likely to contain personally identifiable information (PII) such as the IP address of users.
Tomcat is not responsible for the content of log messages generated by applications.