https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #39 from Yadnyawalk Tale <ytale(a)redhat.com> ---
Statement:
In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity
Management are using the pki-servlet-engine component, which embeds a
vulnerable version of Tomcat. However, in these specific contexts, the
prerequisites to the vulnerability are not met. The PersistentManager is not
set, and a SecurityManager is used. The use of pki-servlet-engine outside of
these contexts is not supported. As a result, the vulnerability can not be
triggered in supported configurations of these products. A future update may
update Tomcat in pki-servlet-engine.
Red Hat Satellite do not ship Tomcat and rather use its configuration. The
product is not affected because configuration does not make use of
PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat
Enterprise Linux (RHEL) RHSA.
--
You are receiving this mail because:
You are on the CC list for the bug.