[imtringued]

That reminds me of the Ghostcat vulnerability in Tomcat. Basically our manager informed us about the vulnerability and set up a meeting to discuss possible solutions. Well, it was pretty obvious that you just need to set an AJP secret and update to the latest version. So that means editing maybe 4 lines in apache/tomcat config files and then restarting tomcat after the latest version has been installed. Obviously, we were done before that meeting even started but for some reason our manager got super excited about this microscopic victory. I'm not sure what caused his expectations to be so low but then I took a look at the results of our automated vulnerability scanner and I suddenly understood why. Some teams within this organization truly don't care about security at all.