PCI Compliance Vulnerability

Posted on 2009-12-22
Last Modified: 2013-12-02
The remote host is running a vulnerable version of Apache tomcat. A RequestDispatcher API is vulnerable to a directory traversal attack, This could allow an attacker to view files outside of the web application's root.


Remediation Action: Upgrade to versions 6.0.20/4.1.SVN or later or apply the pactches referenced in the vendor advisory.

Threat: Med


What is the solution for this?
Question by:akgautham
    LVL 57

    Accepted Solution

    Umm, the remote host needs to either upgrade to the versions listed or apply the patches referenced in vendor's advisory.

    What don't you understand?

    LVL 26

    Assisted Solution

    Note section 6.1 of the PCI-DSS reg's require you to apply vendor released security patches within a month of release. So to be comnpliant / pass an audit (avoid a fine) you must have a documented procedure in place, that tasks someone / a group with checking for, downloading, evaluating, testing and scheduling the application of vendor security patches.

    Judging by the tags above you should be subscribing to the Apache HTTP, Tomcat, Sun Java and what ever OS, Firewall and DB you run, Announce email lists. These will detail the release of any new security patches.

    To catch up have a look at the appropriate vendor pages, and see what you are unerable to e.g.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    -Xmx and -Xms are the two JVM options often used to tune JVM heap size.   Here are some common mistakes made when using them:   Assume BigApp is a java class file for the below examples. 1.         Missing m, M, g or G at the end …
    If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now