[CONF] Apache Tomcat > Security

2019-11-24 Thread Konstantin Kolinko (Confluence)
Title: Message Title



 
 
 
There's 1 new edit on this page 
 
 
 
 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Security 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
Konstantin Kolinko edited this page 
 
 
  
 
 

 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
Here's the version comment 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
Konstantin Kolinko edited at 03:07 AM 
 
 
  
 
 

 
 
 
 
 
 
 
 
 Add a permalink. Fix formatting and links.  
 
 
  
 
 
  
 
 

 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Here's what changed: 
 
 
 
 
 
 
 
 
 
 
  Permalink to this page: https://cwiki.apache.org/confluence/x/qyolBg  Preface This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please see the security page. The Record There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. There have been no documented cases of data loss or application crashes caused by an intruder. While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only theoretical vulnerabilities found. All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities. ... 
 
There have been several reports of a compromise done via guess of the password of a user of the Manager web application. 
  There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).   Please see "Security considerations" pages in Tomcat documentation (linked below) for a reference on how access to Management Applications in Tomcat should be secured.  
 
There have been several reports of compromises via vulnerabilities in 3-rd party web applications deployed on Tomcat. E.g. vulnerabilities in Apache Struts framework were a popular attack target several times in years 2013-2017. E.g. Equifax breach in year 2017. It is unknown whether Equifax has run their application on Tomcat, but there have been a number of similar compromise reports from Tomcat users. Those are not caused by a vulnerability in Tomcat. 
 ... Links 
 
Known vulnerabilitieshttp: https//tomcat.apache.org/security.html  
Security considerations (Tomcat documentation) - — Tomcat 9, Tomcat 8.5, Tomcat  87.0, Tomcat 7  
 Questions 
 
 How do I use OpenSSL to set up my own Certificate Authority (CA)?  
 Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!  
 What about Tomcat running as root?  
 How do I force all my pages to run under HTTPS?  
 What is the default login for the manager and admin app?  
 How do I restrict access by ip address or remote host?  
 How do I use jsvc/procrun to run Tomcat on port 80 securely?  
 Has Tomcat's security been independently analyzed or audited?  
 How do I change the Server header in the response?  
 Why are passwords in plain text?  
 How can I restrict the list of ciphers used for HTTPS?  
 Which cipher suites should I use?  
 Answers  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q1 
 
 
 
Q1 
 
 
  
 
 
 How do I use OpenSSL to set up my own Certificate Authority (CA)?   Using OpenSSL to set up your own CA.  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q2 
 
 
 
Q2 
 
 
  
 
 
 Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!  See these 2 discussions. 
 
 Possible to switch off tcp/ip server shutdown?  
 Tomcat shutdown & security  
  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q3 
 
 
 
Q3 
 
 
  
 
 
 What about Tomcat running as root?  See these threads: 
 
 Tomcat as root and security issues  
  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q4 
 
 
 
Q4 
 
 
  
 
 
 How do I force all my pages to run under HTTPS?   Use security-constraint in web.xml.  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q5 
 
 
 
Q5 
 
 
  
 
 
 What is the default login for the manager and admin app?  The admin and manager application do not provide a default login. Doing so would be a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml file if you are using the default install. See Configuring Manager Application Access for details. Note that there exists malware that tries to guess the manager password. There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q6 
 
 
 
Q6 
 
 
  
 
 
 How do I restrict access by ip address or remote host?  By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also RemoteIpValve. Valve Reference Link   
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q7 
 
 
 
Q7 
 
 
  
 
 
 How do I use 

[CONF] Apache Tomcat > Security

2019-09-16 Thread Mark Thomas (Confluence)
Title: Message Title



 
 
 
There's 2 new edits on this page 
 
 
 
 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Security 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
Mark Thomas edited this page 
 
 
  
 
 

 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
Here's the version comment 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
 
 
 
Mark Thomas edited at 08:27 AM 
 
 
  
 
 

 
 
 
 
 
 
 
 
 Removed links to deleted pages  
 
 
  
 
 
  
 
 

 
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Here's what changed: 
 
 
 
 
 
 
 
 
 
 
 ... 
 
 How do I use OpenSSL to set up my own Certificate Authority (CA)?  
 Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!  
 What about Tomcat running as root?  
 How do I force all my pages to run under HTTPS?  
 What is the default login for the manager and admin app?  
 How do I restrict access by ip address or remote host?  
 How do I use jsvc/procrun to run Tomcat on port 80 securely?  
 Has Tomcat's security been independently analyzed or audited?  
 How do I change the Server header in the response?  
 Why are passwords in plain text?  
 How can I restrict the list of ciphers used for HTTPS?  
 Is Tomcat vulnerable to Heartbleed bug?  
 Is Tomcat vulnerable to POODLE attack?  
 Which cipher suites should I use?  
 ... We have a page dedicated to this topic. FAQ/ Password   
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q11 
 
 
 
Q11 
 
 
  
 
 
  How can I restrict the list of ciphers used for HTTPS? See HowTo SSLCiphers.  
 
 
 
 Anchor 
 
 
 
 
 
 
 
 
 
Q12 
 
 
 
Q12 
 
 
  
 
 
   Is Tomcat vulnerable to Heartbleed bug?   See Security/Heartbleed.  ...  Is Tomcat vulnerable to POODLE attack?   See Security/POODLE.  ... Which cipher suites should I use? ...  
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Go to page history 
 
 
  
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
View page 
 
 
  
 
 
  
 
 
  
 
 
  
 
 
 
 
 
 
 
 
 
 
Stop watching space
• 
 
 
 
 
 
 
Manage notifications 
 
 
 
 
 
 
 
 
 
 
  
 
 
This message was sent by Atlassian Confluence 6.15.8