Content

Security model for Apache Tomcat

Introduction

The Apache Tomcat® Security Team reviews reported vulnerabilities against the following security model:

Administrative users

Administrative users are always considered to be trusted. Reports for vulnerabilities where an attacker already has access to or control over any of the following will be rejected:

  • Tomcat binaries and/or scripts.
  • Tomcat configuration files.
  • Tomcat log files.
  • The temp directory (by default $CATALINA_BASE/temp)
  • Web application working directories (by default $CATALINA_BASE/work)
  • The Manager or Host Manager web applications provided with Tomcat.
  • The JMX API (local or remote).
  • The Java Attach API or any other debugging interface.

Reports for vulnerabilities where an attacker tricks an administrative user into performing an action the administrator did not intend to perform (e.g. CSRF vulnerabilities) will be accepted.

Web applications

Web applications deployed to Tomcat are considered to be trusted. Vulnerabilities in user-provided web applications are application vulnerabilities, not Tomcat vulnerabilities.

Reports of vulnerabilities in the web applications included with standard Tomcat distributions from the ASF will be accepted. Reporters should review the comments about each of the provided applications in the Security Considerations section of the documentation for the version under test.

Connectors

Data received via a Connector, regardless of protocol, is considered to be untrusted with the exception of:

  • The standard request attributes and any arbitrary request attributes permitted by allowedRequestAttributesPattern for an AJP connector.
  • HTTP headers processed by a RemoteIpValve, SSLValve, equivalent filters (RemoteIpFilter) or any similar functionality.

Clients are responsible for the consequences of the data they present to Tomcat. If a client presents a malformed request that Tomcat processes as per the specification for configured protocol, then any security impact to the client is the client's responsibility.

Clustering

Cluster traffic requires a trusted network unless the EncryptInterceptor is used in which case confidentiality and integrity will be protected but not availability.

Multicast cluster membership always requires a trusted network.

Logging

Security-sensitive information will not be logged with the default configuration apart from anything included in the request URI.

Security-sensitive information may be logged with modified logging configurations, particularly if debug logging is enabled.

The default logs are likely to contain personally identifiable information (PII) such as the IP address of users.

Tomcat is not responsible for the content of log messages generated by applications.