[Tomcat Wiki] Update of "FAQ/Security" by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "FAQ/Security" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Security?action=diff=21=22

Comment:
Mention CVE-2009-3548 in the "Record" section.

  === The Record ===
  
  There have been no public cases of damage done to a company, organization, or 
individual due to a Tomcat security issue. There have been no documented cases 
of data loss or application crashes caused by an intruder. While there have 
been numerous analyses conducted on Tomcat, partially because this is easy to 
do with Tomcat's source code openly available, there have been only 
'''theoretical''' vulnerabilities found. All of those were addressed even 
though there were no documented cases of actual exploitation of these 
vulnerabilities.
+ 
+ That said,
+  * There have been several reports of a compromise done via guess of the 
password of a user of the Manager web application.<><>There was once a 
bug that blindly clicking-trough the Windows installer configured a manager 
user with blank password 
([[http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24|CVE-2009-3548]]).
 This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are 
safe).<><>Please see "Security considerations" pages in Tomcat 
documentation ([[#Links|linked below]]) for a reference on how access to 
Management Applications in Tomcat should be secured.
+ 
+  * There have been several reports of compromises via vulnerabilities in 3-rd 
party web applications deployed on Tomcat. E.g. vulnerabilities in Apache 
Struts framework were a popular attack target several times in years 2013-2017. 
E.g. 
[[https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax|Equifax
 breach]] in year 2017. It is unknown whether Equifax has run their application 
on Tomcat, but there have been a number of similar compromise reports from 
Tomcat users. Those are not caused by a vulnerability in Tomcat.
+ 
  === Role of Customization ===
  
  We believe, and the evidence suggests, that Tomcat is more than secure enough 
for most use-cases. However, like all other components of Tomcat, you can 
customize any and all of the relevant parts of the server to achieve even 
higher security. For example, the session manager implementation is pluggable, 
and even the default implementation has support for pluggable random number 
generators. If you have a special need that you feel is not met by Tomcat out 
of the box, consider these customization options. At the same time, please 
bring up your requirements on the user mailing list, where we'll be glad to 
discuss it and assist in your approach/design/implementation as needed.
+ 
+ It is also possible to configure Tomcat insecurely. Please see "Security 
considerations" pages in Tomcat documentation ([[#Links|linked below]]) for the 
list of security-sensitive options.
  
  === Links ===
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "FAQ/Security" by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "FAQ/Security" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Security?action=diff=20=21

Comment:
Add links to Tomcat 8.5 and Tomcat 9 "Security Considerations" pages.

  === Links ===
  
   * Known vulnerabilities [[http://tomcat.apache.org/security.html]]
-  * Security considerations (Tomcat documentation) - 
[[http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html|Tomcat 8]], 
[[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html|Tomcat 7]]
+  * Security considerations (Tomcat documentation) - 
[[http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html|Tomcat 9]],
+  [[http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html|Tomcat 8.5]],
+  [[http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html|Tomcat 8.0]],
+  [[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html|Tomcat 7]]
  
  == Questions ==
   1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of FAQ/Security by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on Tomcat Wiki for change 
notification.

The FAQ/Security page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/FAQ/Security?action=diffrev1=16rev2=17

Comment:
Improve links. Add note on CVE-2009-3548

  === Links ===
  
   * Known vulnerabilities [[http://tomcat.apache.org/security.html]]
-  * Security considerations (Apache Tomcat 7 documentation) 
[[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html]]
+  * Security considerations (Tomcat documentation) - 
[[http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html|Tomcat 8]], 
[[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html|Tomcat 7]]
  
  == Questions ==
   1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]]
@@ -58, +58 @@

  Anchor(Q5)
  === What is the default login for the manager and admin app? ===
  
- The admin and manager application do not provide a default login. Doing so is 
a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you 
are using the default install. 
[[http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring%20Manager%20Application%20Access|Configuring
 Manager Application Access]]
+ The admin and manager application do not provide a default login. Doing so 
would be a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml 
file if you are using the default install. See 
[[http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access|Configuring
 Manager Application Access]] for details.
+ 
+ Note that there exists malware that tries to guess the manager password.
+ 
+ There was once a bug that blindly clicking-trough the Windows installer 
configured a manager user with blank password 
([[http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24|CVE-2009-3548]]).
 This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).
  
  Anchor(Q6)
  === How do I restrict access by ip address or remote host? ===
  
- By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these 
valves rely on accurate incoming ip addresses or hostnames. So they can fall 
victim to spoofing! See also {{{RemoteIpValve}}}. 
[[http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html|Valve Reference 
Link]]
+ By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these 
valves rely on accurate incoming ip addresses or hostnames. So they can fall 
victim to spoofing! See also {{{RemoteIpValve}}}. 
[[http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Access_Control|Valve
 Reference Link]]
  
  Anchor(Q7)
  === How do I use jsvc/procrun to run Tomcat on port 80 securely? ===

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of FAQ/Security by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on Tomcat Wiki for change 
notification.

The FAQ/Security page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/FAQ/Security?action=diffrev1=14rev2=15

Comment:
Add links to pages at tomcat.apache.org

  === Role of Customization ===
  
  We believe, and the evidence suggests, that Tomcat is more than secure enough 
for most use-cases. However, like all other components of Tomcat, you can 
customize any and all of the relevant parts of the server to achieve even 
higher security. For example, the session manager implementation is pluggable, 
and even the default implementation has support for pluggable random number 
generators. If you have a special need that you feel is not met by Tomcat out 
of the box, consider these customization options. At the same time, please 
bring up your requirements on the user mailing list, where we'll be glad to 
discuss it and assist in your approach/design/implementation as needed.
+ 
+ === Links ===
+ 
+  * Known vulnerabilities [[http://tomcat.apache.org/security.html]]
+  * Security considerations (Apache Tomcat 7 documentation) 
[[http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html]]
  
  == Questions ==
   1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of FAQ/Security by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on Tomcat Wiki for change 
notification.

The FAQ/Security page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/FAQ/Security?action=diffrev1=13rev2=14

Comment:
Add link to HowTo/SSLCiphers

   1. [[#Q8|Has Tomcat's security been independently analyzed or audited?]]
   1. [[#Q9|How do I change the Server header in the response?]]
   1. [[#Q10|Why are passwords in plain text?]]
+  1. [[#Q11|How can I restrict the list of ciphers used for HTTPS?]]
  
  == Answers ==
  
@@ -79, +80 @@

  
  We have a page dedicated to this topic. [[FAQ/Password]] 
  
+ Anchor(Q11)
+ === How can I restrict the list of ciphers used for HTTPS? ===
+ 
+ See [[HowTo/SSLCiphers]].
  
  
  [[CategoryFAQ|CategoryFAQ]]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of FAQ/Security by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on Tomcat Wiki for change 
notification.

The FAQ/Security page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/FAQ/Security?action=diffrev1=8rev2=9

Comment:
Use macro to obfuscate email address

  == Preface ==
- This FAQ section provides help with some security-related issues. If you hear 
of a vulnerability or its exploitation, please let us know on the 
[[mailto:secur...@tomcat.apache.org|secur...@tomcat.apache.org]] mailing list.
+ This FAQ section provides help with some security-related issues. If you hear 
of a vulnerability or its exploitation, please let us know on the 
MailTo(security AT tomcat DOT apache DOT org) mailing list.
  === The Record ===
  
  There have been no public cases of damage done to a company, organization, or 
individual due to a Tomcat security issue. There have been no documented cases 
of data loss or application crashes caused by an intruder. While there have 
been numerous analyses conducted on Tomcat, partially because this is easy to 
do with Tomcat's source code openly available, there have been only 
'''theoretical''' vulnerabilities found. All of those were addressed even 
though there were no documented cases of actual exploitation of these 
vulnerabilities.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of FAQ/Security by KonstantinKolinko

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on Tomcat Wiki for change 
notification.

The FAQ/Security page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/FAQ/Security?action=diffrev1=9rev2=10

Comment:
Replace http://marc.theaimsgroup.com/ with http://marc.info/

  
  Anchor(Q1)'''How do I use OpenSSL to set up my own Certificate Authority 
(CA)?'''
  
- [[http://marc.theaimsgroup.com/?l=tomcat-userm=106293430225790w=2|Using 
OpenSSL to set up your own CA]].
+ [[http://marc.info/?l=tomcat-userm=106293430225790w=2|Using OpenSSL to set 
up your own CA]].
  
  Anchor(Q2)'''OH NO! PORT 8005 is available for anyone on localhost to 
shutdown my tomcat!'''
  
  See these 2 discussions.
  
- * [[http://marc.theaimsgroup.com/?t=10439665323r=1w=2|Possible to 
switch off tcp/ip server shutdown?]]
+ * [[http://marc.info/?t=10439665323r=1w=2|Possible to switch off 
tcp/ip server shutdown?]]
- * [[http://marc.theaimsgroup.com/?t=10312664325r=1w=2|Tomcat 
shutdown  security]]
+ * [[http://marc.info/?t=10312664325r=1w=2|Tomcat shutdown  
security]]
  
  Anchor(Q3)'''What about Tomcat running as root?'''
  
  See these threads:
  
- * [[http://marc.theaimsgroup.com/?t=10451603873r=1w=2|Tomcat as 
root and security issues]]
+ * [[http://marc.info/?t=10451603873r=1w=2|Tomcat as root and 
security issues]]
  
  Anchor(Q4)'''How to I force all my pages to run under HTTPS?'''
  
- [[http://marc.theaimsgroup.com/?l=tomcat-userm=104951559722619w=2|Use 
security-constraint in web.xml]].
+ [[http://marc.info/?l=tomcat-userm=104951559722619w=2|Use 
security-constraint in web.xml]].
  
  Anchor(Q5)'''What is the default login for the manager and admin app?'''
  
@@ -54, +54 @@

  
  Anchor(Q7)'''How do I use jsvc/procrun to run Tomcat on port 80 
securely?'''
  
- Fairly easily ;) See the Setup page in the docs for your tomcat release, and 
read [[http://marc.theaimsgroup.com/?l=tomcat-userm=108566020231438w=2|this 
mailing list post]] for a complete setup example with permissions etc.
+ Fairly easily ;) See the Setup page in the docs for your tomcat release, and 
read [[http://marc.info/?l=tomcat-userm=108566020231438w=2|this mailing list 
post]] for a complete setup example with permissions etc.
  
  Anchor(Q8)'''Has Tomcat's security been independently analyzed or 
audited?'''
  
- Yes, by numerous organizations and individuals, many times. Try 
[[http://www.google.com/search?sourceid=navclientie=UTF-8q=is+tomcat+secure|this
 Google search]] and you'll see many references, guides, and analyses. 
+ Yes, by numerous organizations and individuals, many times. Try 
[[http://www.google.com/search?q=is+tomcat+secure|this Google search]] and 
you'll see many references, guides, and analyses. 
  
  Anchor(Q9)'''How do I change the Server header in the response?'''
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org