Apache Tomcat^®

The Apache Tomcat^® Security Team reviews reported vulnerabilities against the following security model:

Administrative users are always considered to be trusted. Reports for vulnerabilities where an attacker already has access to or control over any of the following will be rejected:

• Tomcat binaries and/or scripts.
• Tomcat configuration files.
• Tomcat log files.
• The temp directory (by default $CATALINA_BASE/temp)
• Web application working directories (by default $CATALINA_BASE/work)
• The Manager or Host Manager web applications provided with Tomcat.
• The JMX API (local or remote).
• The Java Attach API or any other debugging interface.

Reports for vulnerabilities where an attacker tricks an administrative user into performing an action the administrator did not intend to perform (e.g. CSRF vulnerabilities) will be accepted.

Web applications deployed to Tomcat are considered to be trusted. Vulnerabilities in user-provided web applications are application vulnerabilities, not Tomcat vulnerabilities.

Web applications that enable functionality that allows the modification of the web application (e.g. WebDAV, HTTP PUT requests or similar) are expected to take steps to secure that functionality. Failure to do so is an application vulnerability, not a Tomcat vulnerability.

Reports of vulnerabilities in the web applications included with standard Tomcat distributions from the ASF will be accepted. Reporters should review the comments about each of the provided applications in the Security Considerations section of the documentation for the version under test.

Data received via a Connector, regardless of protocol, is considered to be untrusted with the exception of:

• The standard request attributes and any arbitrary request attributes permitted by allowedRequestAttributesPattern for an AJP connector.
• HTTP headers processed by a RemoteIpValve, SSLValve, equivalent filters (RemoteIpFilter) or any similar functionality.

All clients (including reverse proxies) are responsible for the consequences of the data they present to Tomcat. If a client presents a (potentially malformed) request that Tomcat processes as per the specification for the configured protocol, then any security impact to the client is the client's responsibility.

Cluster traffic requires a trusted network unless the EncryptInterceptor is used in which case confidentiality and integrity will be protected but not availability.

Multicast cluster membership always requires a trusted network.

Security-sensitive information will not be logged with the default configuration apart from anything included in the request URI.

Security-sensitive information may be logged with modified logging configurations, particularly if debug logging is enabled.

The default logs are likely to contain personally identifiable information (PII) such as the IP address of users.

Tomcat is not responsible for the content of log messages generated by applications.