[IPT] Security Exposures

Paul J. Morris mole at morris.net
Wed Apr 20 18:15:17 CEST 2011 

Current Tomcat 6 is 6.0.32

http://tomcat.apache.org/whichversion.html

This report suggests that you are using a version earlier that 6.0.30.
If that is correct, then installing the current 6.0.32 should deal with
the last three issues.  It that isn't correct, and you are using
6.0.32, then the security evaluation tool may be detecting false
positives.

The first three issues are simply indications that you have a default
self signed certificate (and it has expired).  If you aren't exposing
tomcat as an SSL (https) service, or if you are the only user of the
https service, then this is not an issue.  If you are having other
people visit to an https url (to encrypt their username/password in a
login session), then you'll want to purchase a certificate from a
signing authority that is widely recognised by browser vendors.  If you
are the only user of the secured SSL service (if, for example, you are
connecting over https to the tomcat admin application) then don't worry
about these.  Configuration instructions for SSL certificates in the
tomcat 6 docs can be found at:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html  If you aren't
using ssl, you may wish to turn it off by commenting out the ssl
connectors in the tomcat configuration file. 

The IPT developers will need to comment on the range of supported
Tomcat versions.   


-Paul

On Wed, 20 Apr 2011 09:41:01 -0600
"Bruce Wilson" <bruce.wilson at uvu.edu> wrote:
> I have installed the IPT on a Windows 2003 server (at
> http://science.uvu.edu:8080/ipt/). Recently, a security evaluation
> was made, and here are the medium-severity weaknesses found, all of
> which I think are attributable to Tomcat/Apache. What should I be
> doing to resolve these? I typically use automatic updates to keep
> things current, and don't normally install software that requires
> hands-on maintenance,  so I'm unsure if an update of the Apache or
> Tomcat software might break the ITP app. Or even if an update will
> fix the holes. I think the security certificate errors are Tomcat
> also, because I didn't install any in Windows, but I'm not certain.
> 
> # 	PLUGIN NAME
> 2	SSL Certificate signed with an unknown Certificate Authority
> 2	SSL Certificate with Wrong Hostname
> 2	SSL Certificate Expiry
> 1	Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of
> Service 1	Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities
> 1	Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
> 
> Bruce Wilson
> Department of Chemistry | Mail Stop 179 | UVU | 800 W University
> Parkway, Orem UT 84058
> (801)863-7138 | bruce.wilson at uvu.edu | http://science.uvu.edu/wilson
> 
> 
> _______________________________________________
> IPT mailing list
> IPT at lists.gbif.org
> http://lists.gbif.org/mailman/listinfo/ipt


-- 
Paul J. Morris
Biodiversity Informatics Manager
Harvard University Herbaria/Museum of Comparative Zoölogy
mole at morris.net  AA3SD  PGP public key available

More information about the IPT mailing list