Re: FW: Apache Vulnerability - Understanding Connector Protocols

2019-08-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Michael,

On 8/1/19 15:21, Michael Osipov wrote:
> Am 2019-08-01 um 21:19 schrieb Mark Thomas:
>> On 01/08/2019 20:07, Justiniano, Tony wrote:
>>> And that is what I was thinking, inadvertently, our scanning
>>> tool just found the apache version during a scan and
>>> corresponded it (the apache version) with a CVE.
>>> 
>>> Do you concur?
>> 
>> Sounds likely. Most low quality scanning tools only look at the
>> version number.
> 
> I was told the same security by obscurity nonsense by our ISEC
> team.

The OP should just set their reported version number to Tomcat 4.3 and
let it completely freak out.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeFsACgkQHPApP6U8
pFixVBAAtRtkVQipOISzRnd7eFUpKTgpZeENUvbJlCSrgiKu66IJx+1WDdO81zmj
mAk+F2syOoZgThiB5icu6gISwcpJm4yWWQOb+QileSQtjvkhdgueiv1Hwla74fm3
jz/FtFc+6xiYGSG07/O9RgJASeM7Dabo+UB7KCXrDpL2WxDw1hU8kWUYIpnR16Ub
1DlXtOcIlnFe5FLld4WR8VHO6kAjNJd25EvYNqpEOfkG2WpJwkhGsMyDHcom40AF
H5b7nrtpAVi1kaiyWcGVGpyFqUjZfdXYHM9bDDn1dsAkMBiYNDg8tlMT8JtkzZK9
ULKBwnEJdeKJ6PvVfSDpsRYkSCqVJJXS/5X5Wx41VhbrHxKvnywimHNNxB3bQbAn
LW1rvsP1aD1GaDzBwP2DoUKVUeMqhnVGwM75/Dyi7UjVu79xhoQpnR5aNmtB+k5/
Kasib1LdFvNpZTs/1UgoG/JjVOd6j8nDe0U44cC23eSYBnq8bsGuaCUmSgsNOvOF
ykA/0cMoGNFw481GZhgggOfAA+l+4m+x8CDQrawlq5d5Hx/6dBDGSjUqo0XWSg0J
zJmJxPVj0024aD0Lt+ZO3U9Z0qIQ8doc0AkKO6t5wFJGAWTccDMsQAQV4UejRBDt
dXpJdvqmZ28yxoOK2PNs8Swo1dg1iFF1xgqtu254nWqlU3/3xV8=
=z4EQ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FW: Apache Vulnerability - Understanding Connector Protocols

2019-08-01 Thread Michael Osipov 

Am 2019-08-01 um 21:19 schrieb Mark Thomas:

On 01/08/2019 20:07, Justiniano, Tony wrote:

And that is what I was thinking, inadvertently, our scanning tool just found 
the apache version during a scan and corresponded it (the apache version) with 
a CVE.

Do you concur?


Sounds likely. Most low quality scanning tools only look at the version
number.


I was told the same security by obscurity nonsense by our ISEC team.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FW: Apache Vulnerability - Understanding Connector Protocols

2019-08-01 Thread Mark Thomas 
On 01/08/2019 20:07, Justiniano, Tony wrote:
> And that is what I was thinking, inadvertently, our scanning tool just found 
> the apache version during a scan and corresponded it (the apache version) 
> with a CVE.
> 
> Do you concur?

Sounds likely. Most low quality scanning tools only look at the version
number.

Mark


> 
> Tony Justiniano
> Engineer I, EUS Engineering
> 
> Wyndham Destinations
> 6277 Sea Harbor Drive
> Orlando, FL 32821
> Office: +1-407-626-5416
> Mobile: +1-407-463-4297
> tony.justini...@wyn.com
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, August 1, 2019 3:05 PM
> To: users@tomcat.apache.org
> Subject: Re: FW: Apache Vulnerability - Understanding Connector Protocols
> 
> This e-mail is from an external source.  Use caution when opening attachments 
> or clicking on links.
> 
> On 01/08/2019 19:49, Justiniano, Tony wrote:
>> Forwarding from an initial email this morning.
>>
>> ___
>>
>> Good Morning,
>>
>> I have been referred to this team in an attempt to have some questions 
>> answered.  Before I ask those question let me provide a little background on 
>> how I got to this point.
>>
>> Vulnerability scans showed that two of my servers in the DMZ came back with 
>> CVE-2019-10072 vulnerability.  The CVE information is below:
>>
>> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
>> connection window exhaustion on write in Apache Tomcat versions
>> 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
>> messages for the connection window (stream 0) clients were able to
>> cause server-side threads to block eventually leading to thread
>> exhaustion and a DoS.
>> (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201
>> 9-10072>)
>>
>> The question I have is based on the server.xml configuring the connector and 
>> protocols used.  Below are both of my servers server.xml connector entries:
>> Server6: > protocol="org.apache.coyote.http11.Http11NioProtocol"
>>
>> Server5: > protocol="org.apache.coyote.http11.Http11NioProtocol"
>>
>> What I have highlighted are the protocols that are used for those specific 
>> connectors on the servers.
>>
>> So, my question is in your professional opinions, if I'm not calling the 
>> http2 protocol in any connector, my servers shouldn't be susceptible to the 
>> particular CVE's vulnerability assessment.
>>
>> Please let me know if this question can be answered.
> 
> If you don't have
> 
> 
> 
> nested in a Connector anywhere in your server.xml that you can't possibly be 
> vulnerable to HTTP/2 related vulnerabilities.
> 
> Looks like it is time to start shopping for a new vulnerability scanner.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> This email message (including all attachments) is for the sole use of the 
> intended recipient(s) and may contain confidential and/or privileged 
> information, or may otherwise be protected by work product or other legal 
> rules. If you are not the intended recipient, please contact the sender by 
> reply email and destroy all copies of the original message. Unless otherwise 
> indicated in the body of this email, nothing in this communication is 
> intended to operate as an electronic signature and this transmission cannot 
> be used to form, document, or authenticate a contract. Wyndham Destinations, 
> Inc., and/or its affiliates may monitor all incoming and outgoing email 
> communications, including the content of emails and attachments, for 
> security, legal compliance, training, quality assurance and other purposes. 
> The sender believes that this email and any attachments were free of any 
> virus, worm, Trojan horse, malicious code and/or other contaminants when 
> sent. Email transmissions cannot be guaranteed to be secure or error-free, so 
> this message and its attachments could have been infected, corrupted or made 
> incomplete during transmission. By reading the message and opening any 
> attachments, the recipient accepts full responsibility for any viruses or 
> other defects that may arise, and for taking remedial action relating to such 
> viruses and other defects. Neither Wyndham Destinations, Inc., nor any of its 
> affiliated entities is liable for any loss or damage arising in any way from, 
> or for errors or omissions in the contents of, this message or its 
> attachments.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: FW: Apache Vulnerability - Understanding Connector Protocols

2019-08-01 Thread Justiniano, Tony 
And that is what I was thinking, inadvertently, our scanning tool just found 
the apache version during a scan and corresponded it (the apache version) with 
a CVE.

Do you concur?

Tony Justiniano
Engineer I, EUS Engineering

Wyndham Destinations
6277 Sea Harbor Drive
Orlando, FL 32821
Office: +1-407-626-5416
Mobile: +1-407-463-4297
tony.justini...@wyn.com

-Original Message-
From: Mark Thomas 
Sent: Thursday, August 1, 2019 3:05 PM
To: users@tomcat.apache.org
Subject: Re: FW: Apache Vulnerability - Understanding Connector Protocols

This e-mail is from an external source.  Use caution when opening attachments 
or clicking on links.

On 01/08/2019 19:49, Justiniano, Tony wrote:
> Forwarding from an initial email this morning.
>
> ___
>
> Good Morning,
>
> I have been referred to this team in an attempt to have some questions 
> answered.  Before I ask those question let me provide a little background on 
> how I got to this point.
>
> Vulnerability scans showed that two of my servers in the DMZ came back with 
> CVE-2019-10072 vulnerability.  The CVE information is below:
>
> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2
> connection window exhaustion on write in Apache Tomcat versions
> 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE
> messages for the connection window (stream 0) clients were able to
> cause server-side threads to block eventually leading to thread
> exhaustion and a DoS.
> (CVE-2019-10072<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201
> 9-10072>)
>
> The question I have is based on the server.xml configuring the connector and 
> protocols used.  Below are both of my servers server.xml connector entries:
> Server6:  protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> Server5:  protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> What I have highlighted are the protocols that are used for those specific 
> connectors on the servers.
>
> So, my question is in your professional opinions, if I'm not calling the 
> http2 protocol in any connector, my servers shouldn't be susceptible to the 
> particular CVE's vulnerability assessment.
>
> Please let me know if this question can be answered.

If you don't have



nested in a Connector anywhere in your server.xml that you can't possibly be 
vulnerable to HTTP/2 related vulnerabilities.

Looks like it is time to start shopping for a new vulnerability scanner.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

This email message (including all attachments) is for the sole use of the 
intended recipient(s) and may contain confidential and/or privileged 
information, or may otherwise be protected by work product or other legal 
rules. If you are not the intended recipient, please contact the sender by 
reply email and destroy all copies of the original message. Unless otherwise 
indicated in the body of this email, nothing in this communication is intended 
to operate as an electronic signature and this transmission cannot be used to 
form, document, or authenticate a contract. Wyndham Destinations, Inc., and/or 
its affiliates may monitor all incoming and outgoing email communications, 
including the content of emails and attachments, for security, legal 
compliance, training, quality assurance and other purposes. The sender believes 
that this email and any attachments were free of any virus, worm, Trojan horse, 
malicious code and/or other contaminants when sent. Email transmissions cannot 
be guaranteed to be secure or error-free, so this message and its attachments 
could have been infected, corrupted or made incomplete during transmission. By 
reading the message and opening any attachments, the recipient accepts full 
responsibility for any viruses or other defects that may arise, and for taking 
remedial action relating to such viruses and other defects. Neither Wyndham 
Destinations, Inc., nor any of its affiliated entities is liable for any loss 
or damage arising in any way from, or for errors or omissions in the contents 
of, this message or its attachments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FW: Apache Vulnerability - Understanding Connector Protocols

2019-08-01 Thread Mark Thomas 
On 01/08/2019 19:49, Justiniano, Tony wrote:
> Forwarding from an initial email this morning.
> 
> ___
> 
> Good Morning,
> 
> I have been referred to this team in an attempt to have some questions 
> answered.  Before I ask those question let me provide a little background on 
> how I got to this point.
> 
> Vulnerability scans showed that two of my servers in the DMZ came back with 
> CVE-2019-10072 vulnerability.  The CVE information is below:
> 
> The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 
> connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 
> 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the 
> connection window (stream 0) clients were able to cause server-side threads 
> to block eventually leading to thread exhaustion and a DoS. 
> (CVE-2019-10072)
> 
> The question I have is based on the server.xml configuring the connector and 
> protocols used.  Below are both of my servers server.xml connector entries:
> Server6:  protocol="org.apache.coyote.http11.Http11NioProtocol"
> 
> Server5:  protocol="org.apache.coyote.http11.Http11NioProtocol"
> 
> What I have highlighted are the protocols that are used for those specific 
> connectors on the servers.
> 
> So, my question is in your professional opinions, if I'm not calling the 
> http2 protocol in any connector, my servers shouldn't be susceptible to the 
> particular CVE's vulnerability assessment.
> 
> Please let me know if this question can be answered.

If you don't have



nested in a Connector anywhere in your server.xml that you can't
possibly be vulnerable to HTTP/2 related vulnerabilities.

Looks like it is time to start shopping for a new vulnerability scanner.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org