[IPT] Security Exposures
Tim Robertson (GBIF)
trobertson at gbif.org
Wed Apr 20 18:59:00 CEST 2011
Thank you very much Paul,
The IPT is known to work on Tomcat 5.5.* and 6.0.*, and we would like
to hear of any issues in other versions so we can address them should
they appear.
Best wishes,
Tim
On Apr 20, 2011, at 6:15 PM, Paul J. Morris wrote:
> Current Tomcat 6 is 6.0.32
>
> http://tomcat.apache.org/whichversion.html
>
> This report suggests that you are using a version earlier that 6.0.30.
> If that is correct, then installing the current 6.0.32 should deal
> with
> the last three issues. It that isn't correct, and you are using
> 6.0.32, then the security evaluation tool may be detecting false
> positives.
>
> The first three issues are simply indications that you have a default
> self signed certificate (and it has expired). If you aren't exposing
> tomcat as an SSL (https) service, or if you are the only user of the
> https service, then this is not an issue. If you are having other
> people visit to an https url (to encrypt their username/password in a
> login session), then you'll want to purchase a certificate from a
> signing authority that is widely recognised by browser vendors. If
> you
> are the only user of the secured SSL service (if, for example, you are
> connecting over https to the tomcat admin application) then don't
> worry
> about these. Configuration instructions for SSL certificates in the
> tomcat 6 docs can be found at:
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html If you aren't
> using ssl, you may wish to turn it off by commenting out the ssl
> connectors in the tomcat configuration file.
>
> The IPT developers will need to comment on the range of supported
> Tomcat versions.
>
>
> -Paul
>
> On Wed, 20 Apr 2011 09:41:01 -0600
> "Bruce Wilson" <bruce.wilson at uvu.edu> wrote:
>> I have installed the IPT on a Windows 2003 server (at
>> http://science.uvu.edu:8080/ipt/). Recently, a security evaluation
>> was made, and here are the medium-severity weaknesses found, all of
>> which I think are attributable to Tomcat/Apache. What should I be
>> doing to resolve these? I typically use automatic updates to keep
>> things current, and don't normally install software that requires
>> hands-on maintenance, so I'm unsure if an update of the Apache or
>> Tomcat software might break the ITP app. Or even if an update will
>> fix the holes. I think the security certificate errors are Tomcat
>> also, because I didn't install any in Windows, but I'm not certain.
>>
>> # PLUGIN NAME
>> 2 SSL Certificate signed with an unknown Certificate Authority
>> 2 SSL Certificate with Wrong Hostname
>> 2 SSL Certificate Expiry
>> 1 Apache Tomcat < 6.0.32 / 7.0.8 NIO Connector Denial of
>> Service 1 Apache Tomcat 6.0.x < 6.0.30 Multiple Vulnerabilities
>> 1 Apache Tomcat 6.x < 6.0.30 / 7.x < 7.0.5 Multiple XSS
>>
>> Bruce Wilson
>> Department of Chemistry | Mail Stop 179 | UVU | 800 W University
>> Parkway, Orem UT 84058
>> (801)863-7138 | bruce.wilson at uvu.edu | http://science.uvu.edu/wilson
>>
>>
>> _______________________________________________
>> IPT mailing list
>> IPT at lists.gbif.org
>> http://lists.gbif.org/mailman/listinfo/ipt
>
>
> --
> Paul J. Morris
> Biodiversity Informatics Manager
> Harvard University Herbaria/Museum of Comparative Zoölogy
> mole at morris.net AA3SD PGP public key available
> _______________________________________________
> IPT mailing list
> IPT at lists.gbif.org
> http://lists.gbif.org/mailman/listinfo/ipt
More information about the IPT
mailing list