Security Exposures
I have installed the IPT on a Windows 2003 server (at http://science.uvu.edu:8080/ipt/). Recently, a security evaluation was made, and here are the medium-severity weaknesses found, all of which I think are attributable to Tomcat/Apache. What should I be doing to resolve these? I typically use automatic updates to keep things current, and don't normally install software that requires hands-on maintenance, so I'm unsure if an update of the Apache or Tomcat software might break the ITP app. Or even if an update will fix the holes. I think the security certificate errors are Tomcat also, because I didn't install any in Windows, but I'm not certain.
# PLUGIN NAME 2 SSL Certificate signed with an unknown Certificate Authority 2 SSL Certificate with Wrong Hostname 2 SSL Certificate Expiry 1 Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of Service 1 Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities 1 Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
Bruce Wilson Department of Chemistry | Mail Stop 179 | UVU | 800 W University Parkway, Orem UT 84058 (801)863-7138 | bruce.wilson@uvu.edu | http://science.uvu.edu/wilson
Current Tomcat 6 is 6.0.32
http://tomcat.apache.org/whichversion.html
This report suggests that you are using a version earlier that 6.0.30. If that is correct, then installing the current 6.0.32 should deal with the last three issues. It that isn't correct, and you are using 6.0.32, then the security evaluation tool may be detecting false positives.
The first three issues are simply indications that you have a default self signed certificate (and it has expired). If you aren't exposing tomcat as an SSL (https) service, or if you are the only user of the https service, then this is not an issue. If you are having other people visit to an https url (to encrypt their username/password in a login session), then you'll want to purchase a certificate from a signing authority that is widely recognised by browser vendors. If you are the only user of the secured SSL service (if, for example, you are connecting over https to the tomcat admin application) then don't worry about these. Configuration instructions for SSL certificates in the tomcat 6 docs can be found at: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html If you aren't using ssl, you may wish to turn it off by commenting out the ssl connectors in the tomcat configuration file.
The IPT developers will need to comment on the range of supported Tomcat versions.
-Paul
On Wed, 20 Apr 2011 09:41:01 -0600 "Bruce Wilson" bruce.wilson@uvu.edu wrote:
I have installed the IPT on a Windows 2003 server (at http://science.uvu.edu:8080/ipt/). Recently, a security evaluation was made, and here are the medium-severity weaknesses found, all of which I think are attributable to Tomcat/Apache. What should I be doing to resolve these? I typically use automatic updates to keep things current, and don't normally install software that requires hands-on maintenance, so I'm unsure if an update of the Apache or Tomcat software might break the ITP app. Or even if an update will fix the holes. I think the security certificate errors are Tomcat also, because I didn't install any in Windows, but I'm not certain.
# PLUGIN NAME 2 SSL Certificate signed with an unknown Certificate Authority 2 SSL Certificate with Wrong Hostname 2 SSL Certificate Expiry 1 Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of Service 1 Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities 1 Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
Bruce Wilson Department of Chemistry | Mail Stop 179 | UVU | 800 W University Parkway, Orem UT 84058 (801)863-7138 | bruce.wilson@uvu.edu | http://science.uvu.edu/wilson
IPT mailing list IPT@lists.gbif.org http://lists.gbif.org/mailman/listinfo/ipt
Thank you very much Paul,
The IPT is known to work on Tomcat 5.5.* and 6.0.*, and we would like to hear of any issues in other versions so we can address them should they appear.
Best wishes, Tim
On Apr 20, 2011, at 6:15 PM, Paul J. Morris wrote:
Current Tomcat 6 is 6.0.32
http://tomcat.apache.org/whichversion.html
This report suggests that you are using a version earlier that 6.0.30. If that is correct, then installing the current 6.0.32 should deal with the last three issues. It that isn't correct, and you are using 6.0.32, then the security evaluation tool may be detecting false positives.
The first three issues are simply indications that you have a default self signed certificate (and it has expired). If you aren't exposing tomcat as an SSL (https) service, or if you are the only user of the https service, then this is not an issue. If you are having other people visit to an https url (to encrypt their username/password in a login session), then you'll want to purchase a certificate from a signing authority that is widely recognised by browser vendors. If you are the only user of the secured SSL service (if, for example, you are connecting over https to the tomcat admin application) then don't worry about these. Configuration instructions for SSL certificates in the tomcat 6 docs can be found at: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html If you aren't using ssl, you may wish to turn it off by commenting out the ssl connectors in the tomcat configuration file.
The IPT developers will need to comment on the range of supported Tomcat versions.
-Paul
On Wed, 20 Apr 2011 09:41:01 -0600 "Bruce Wilson" bruce.wilson@uvu.edu wrote:
I have installed the IPT on a Windows 2003 server (at http://science.uvu.edu:8080/ipt/). Recently, a security evaluation was made, and here are the medium-severity weaknesses found, all of which I think are attributable to Tomcat/Apache. What should I be doing to resolve these? I typically use automatic updates to keep things current, and don't normally install software that requires hands-on maintenance, so I'm unsure if an update of the Apache or Tomcat software might break the ITP app. Or even if an update will fix the holes. I think the security certificate errors are Tomcat also, because I didn't install any in Windows, but I'm not certain.
# PLUGIN NAME 2 SSL Certificate signed with an unknown Certificate Authority 2 SSL Certificate with Wrong Hostname 2 SSL Certificate Expiry 1 Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of Service 1 Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities 1 Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
Bruce Wilson Department of Chemistry | Mail Stop 179 | UVU | 800 W University Parkway, Orem UT 84058 (801)863-7138 | bruce.wilson@uvu.edu | http://science.uvu.edu/wilson
IPT mailing list IPT@lists.gbif.org http://lists.gbif.org/mailman/listinfo/ipt
-- Paul J. Morris Biodiversity Informatics Manager Harvard University Herbaria/Museum of Comparative Zoölogy mole@morris.net AA3SD PGP public key available _______________________________________________ IPT mailing list IPT@lists.gbif.org http://lists.gbif.org/mailman/listinfo/ipt
participants (3)
-
Bruce Wilson -
Paul J. Morris -
Tim Robertson (GBIF)