Hello Tomcat support team, Thanks for your continuous support.
Problem : Security issue | CVE-2012-4929 Overview: The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. The remote service has one of two configurations that are known to be required for the CRIME attack: - SSL / TLS compression is enabled. The attack allows an attacker to reveal sensitive information that is being passed inside an encrypted SSL tunnel. The most straightforward way to leverage this vulnerability is to use it to retrieve cookies being passed by an application and use them to login to the application as the victim The TLS protocol encrypts compressed data without properly obfuscating the length of the unencrypted data. Successful exploitation may result in a remote attacker conducting man-in-the-middle attacks. According to our analysis seems: (No SSL compression in IE, Firefox has disabled it from V15.0 in 2012 and already disbaled in latest version of chrome).- TLS advertises the SPDY protocol earlier than version 4. Solution: Disable compression and / or the SPDY service. So how to disable compression and / or the SPDY service in tomcat6. Regards, Rahul Kumar Singh DISCLAIMER: ----------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NEC or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NEC or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . -----------------------------------------------------------------------------------------------------------------------
