[IPT] Security Exposures

Tim Robertson (GBIF) trobertson at gbif.org
Wed Apr 20 18:59:00 CEST 2011 

Thank you very much Paul,

The IPT is known to work on Tomcat 5.5.* and 6.0.*, and we would like  
to hear of any issues in other versions so we can address them should  
they appear.

Best wishes,
Tim


On Apr 20, 2011, at 6:15 PM, Paul J. Morris wrote:

> Current Tomcat 6 is 6.0.32
>
> http://tomcat.apache.org/whichversion.html
>
> This report suggests that you are using a version earlier that 6.0.30.
> If that is correct, then installing the current 6.0.32 should deal  
> with
> the last three issues.  It that isn't correct, and you are using
> 6.0.32, then the security evaluation tool may be detecting false
> positives.
>
> The first three issues are simply indications that you have a default
> self signed certificate (and it has expired).  If you aren't exposing
> tomcat as an SSL (https) service, or if you are the only user of the
> https service, then this is not an issue.  If you are having other
> people visit to an https url (to encrypt their username/password in a
> login session), then you'll want to purchase a certificate from a
> signing authority that is widely recognised by browser vendors.  If  
> you
> are the only user of the secured SSL service (if, for example, you are
> connecting over https to the tomcat admin application) then don't  
> worry
> about these.  Configuration instructions for SSL certificates in the
> tomcat 6 docs can be found at:
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html  If you aren't
> using ssl, you may wish to turn it off by commenting out the ssl
> connectors in the tomcat configuration file.
>
> The IPT developers will need to comment on the range of supported
> Tomcat versions.
>
>
> -Paul
>
> On Wed, 20 Apr 2011 09:41:01 -0600
> "Bruce Wilson" <bruce.wilson at uvu.edu> wrote:
>> I have installed the IPT on a Windows 2003 server (at
>> http://science.uvu.edu:8080/ipt/). Recently, a security evaluation
>> was made, and here are the medium-severity weaknesses found, all of
>> which I think are attributable to Tomcat/Apache. What should I be
>> doing to resolve these? I typically use automatic updates to keep
>> things current, and don't normally install software that requires
>> hands-on maintenance,  so I'm unsure if an update of the Apache or
>> Tomcat software might break the ITP app. Or even if an update will
>> fix the holes. I think the security certificate errors are Tomcat
>> also, because I didn't install any in Windows, but I'm not certain.
>>
>> # 	PLUGIN NAME
>> 2	SSL Certificate signed with an unknown Certificate Authority
>> 2	SSL Certificate with Wrong Hostname
>> 2	SSL Certificate Expiry
>> 1	Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of
>> Service 1	Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities
>> 1	Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
>>
>> Bruce Wilson
>> Department of Chemistry | Mail Stop 179 | UVU | 800 W University
>> Parkway, Orem UT 84058
>> (801)863-7138 | bruce.wilson at uvu.edu | http://science.uvu.edu/wilson
>>
>>
>> _______________________________________________
>> IPT mailing list
>> IPT at lists.gbif.org
>> http://lists.gbif.org/mailman/listinfo/ipt
>
>
> -- 
> Paul J. Morris
> Biodiversity Informatics Manager
> Harvard University Herbaria/Museum of Comparative Zoölogy
> mole at morris.net  AA3SD  PGP public key available
> _______________________________________________
> IPT mailing list
> IPT at lists.gbif.org
> http://lists.gbif.org/mailman/listinfo/ipt

More information about the IPT mailing list