Re: avoiding ssl vulnerabilities in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 9/7/2009 10:18 AM, sunil chandran wrote: Hello all, As per the suggestion from tomcat forum users,I went ahead and installed tomcat4.1.40 Then i copied the original webapps file from the back up tomcat (old version). I tried to start the server. It shows this error Sep 7, 2009 10:13:11 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8080Sep 7, 2009 10:13:12 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8443Starting service Tomcat-StandaloneApache Tomcat/4.1.40Catalina.start: LifecycleException: Context startup failed due to previous errorsStopping service Tomcat-StandaloneCatalina.stop: LifecycleException: Coyote connector has not been startedLifecycleException: Coyote connector has not been started Care to post the error messages from the other log file(s)? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqpM4kACgkQ9CaO5/Lv0PA4zQCfWSzGqfgBKUkMamg597bYZMoq GxEAnibTiLlMo0SPhWm3YS6Mpp/EHsAo =Z5Iv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello all, As per the suggestion from tomcat forum users,I went ahead and installed tomcat4.1.40 Then i copied the original webapps file from the back up tomcat (old version). I tried to start the server. It shows this error Sep 7, 2009 10:13:11 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8080Sep 7, 2009 10:13:12 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8443Starting service Tomcat-StandaloneApache Tomcat/4.1.40Catalina.start: LifecycleException: Context startup failed due to previous errorsStopping service Tomcat-StandaloneCatalina.stop: LifecycleException: Coyote connector has not been startedLifecycleException: Coyote connector has not been started Please help me regardsSunil C --- On Fri, 14/8/09, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Friday, 14 August, 2009, 7:55 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: Now installing tomcat 4.1.40 what all changes will be required in my sevice.. no change in application? You are very unlikely to require any webapp changes. maybe installation and configuration changes will be needed? You are very unlikely to require any configuration changes. That's what moving from patch level (4.1.x to 4.1.y) means: very little should be required of you. That being said, it is up to you to read the change log to find out of any breaking changes have been introduced. This often happens when a security bug is fixed which requires, say, URLs to be interpreted differently. If your webapp relies on that old behavior, you'll need to make arrangements for that (often using a configuration parameter). The ChangeLog for Tomcat 4.1 can be found here: http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.40/RELEASE-NOTES-4.1.txt It's not in the most easily-read format (changes are described by component, then by version, rather than the other way around, which is how I would have done it), but you still have to read it: look for every change between 4.1.24 (that's your current version, right?) and 4.1.40. You may have to read relevant bug reports, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqFc9oACgkQ9CaO5/Lv0PAYhQCeJkuKdCkwd/UcQHxUh7/Zii8l KnIAoIClIURe/eRpAavc/HO2KtnkWhPc =KB5m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/ Love Cricket? Check out live scores, photos, video highlights and more. Click here http://cricket.yahoo.com
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: Hello all, As per the suggestion from tomcat forum users,I went ahead and installed tomcat4.1.40 Then i copied the original webapps file from the back up tomcat (old version). I tried to start the server. It shows this error Sep 7, 2009 10:13:11 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8080Sep 7, 2009 10:13:12 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8443Starting service Tomcat-StandaloneApache Tomcat/4.1.40Catalina.start: LifecycleException: Context startup failed due to previous errorsStopping service Tomcat-StandaloneCatalina.stop: LifecycleException: Coyote connector has not been startedLifecycleException: Coyote connector has not been started Please help me Look in your log files. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello all, As per the suggestion from tomcat forum users,I went ahead and installed tomcat4.1.40 Then i copied the original webapps file from the back up tomcat (old version). I tried to start the server. It shows this error Sep 7, 2009 10:13:11 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8080Sep 7, 2009 10:13:12 PM org.apache.coyote.http11.Http11BaseProtocol initINFO: Initializing Coyote HTTP/1.1 on http-8443Starting service Tomcat-StandaloneApache Tomcat/4.1.40Catalina.start: LifecycleException: Context startup failed due to previous errorsStopping service Tomcat-StandaloneCatalina.stop: LifecycleException: Coyote connector has not been startedLifecycleException: Coyote connector has not been started Please help me regardsSunil C --- On Fri, 14/8/09, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Friday, 14 August, 2009, 7:55 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: Now installing tomcat 4.1.40 what all changes will be required in my sevice.. no change in application? You are very unlikely to require any webapp changes. maybe installation and configuration changes will be needed? You are very unlikely to require any configuration changes. That's what moving from patch level (4.1.x to 4.1.y) means: very little should be required of you. That being said, it is up to you to read the change log to find out of any breaking changes have been introduced. This often happens when a security bug is fixed which requires, say, URLs to be interpreted differently. If your webapp relies on that old behavior, you'll need to make arrangements for that (often using a configuration parameter). The ChangeLog for Tomcat 4.1 can be found here: http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.40/RELEASE-NOTES-4.1.txt It's not in the most easily-read format (changes are described by component, then by version, rather than the other way around, which is how I would have done it), but you still have to read it: look for every change between 4.1.24 (that's your current version, right?) and 4.1.40. You may have to read relevant bug reports, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqFc9oACgkQ9CaO5/Lv0PAYhQCeJkuKdCkwd/UcQHxUh7/Zii8l KnIAoIClIURe/eRpAavc/HO2KtnkWhPc =KB5m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org See the Web#39;s breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
Re: avoiding ssl vulnerabilities in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/13/2009 1:11 AM, sunil chandran wrote: Now installing tomcat 4.1.40 what all changes will be required in my sevice.. no change in application? You are very unlikely to require any webapp changes. maybe installation and configuration changes will be needed? You are very unlikely to require any configuration changes. That's what moving from patch level (4.1.x to 4.1.y) means: very little should be required of you. That being said, it is up to you to read the change log to find out of any breaking changes have been introduced. This often happens when a security bug is fixed which requires, say, URLs to be interpreted differently. If your webapp relies on that old behavior, you'll need to make arrangements for that (often using a configuration parameter). The ChangeLog for Tomcat 4.1 can be found here: http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.40/RELEASE-NOTES-4.1.txt It's not in the most easily-read format (changes are described by component, then by version, rather than the other way around, which is how I would have done it), but you still have to read it: look for every change between 4.1.24 (that's your current version, right?) and 4.1.40. You may have to read relevant bug reports, too. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqFc9oACgkQ9CaO5/Lv0PAYhQCeJkuKdCkwd/UcQHxUh7/Zii8l KnIAoIClIURe/eRpAavc/HO2KtnkWhPc =KB5m -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
On 13/08/2009 06:17, sunil chandran wrote: Hello all, As per Christopher response. 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. Can you please tell me what you mean by improving patch level. How should i install tomcat 4.1.40 on tomcat 4.1.24? is it sperate installation or patch? Please help me 1. Install a new Tomcat version 4.1.40. 2. Configure as needed. 3. Consider investing in some Tomcat training/books/tutorials. p --- On Wed, 12/8/09, Christopher Schultzch...@christopherschultz.net wrote: From: Christopher Schultzch...@christopherschultz.net Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users Listusers@tomcat.apache.org Date: Wednesday, 12 August, 2009, 8:15 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Looking for local information? Find it on Yahoo! Local http://in.local.yahoo.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello Sir, I wish to confirm one more thing. The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. my quesiton is: Is this vulernability solved in tomcat 5 version?Do i need to perform some additional stuff to avoid this vulnerability?Any modification to be done in server.xml file to avoid the SSL vulnerability regardsSunil C --- On Tue, 11/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 11 August, 2009, 4:55 PM sunil chandran wrote: Hello all, OK i will upgrade. But what all changes required to update to tomcat 5. what all changes reuired to upgrade to tomcat 4.1.40 You may as well do the job properly and upgrade to 6.0.20. For you app? No changes should be required. For your Tomcat configuration? Start with the clean configuration provided with 6.0.20 and add any modifications you need. Be aware that the config has changed in particular: - the Logger element is no longer used - Resource configuration has changed See the docs for the details. Mark --- On Mon, 10/8/09, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Monday, 10 August, 2009, 7:10 PM From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat Is there any patch provided so that i can still use the same version 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: Hello Sir, I wish to confirm one more thing. The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. my quesiton is: Is this vulernability solved in tomcat 5 version? http://tomcat.apache.org/security-5.html Do i need to perform some additional stuff to avoid this vulnerability? No. Mark regardsSunil C --- On Tue, 11/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 11 August, 2009, 4:55 PM sunil chandran wrote: Hello all, OK i will upgrade. But what all changes required to update to tomcat 5. what all changes reuired to upgrade to tomcat 4.1.40 You may as well do the job properly and upgrade to 6.0.20. For you app? No changes should be required. For your Tomcat configuration? Start with the clean configuration provided with 6.0.20 and add any modifications you need. Be aware that the config has changed in particular: - the Logger element is no longer used - Resource configuration has changed See the docs for the details. Mark --- On Mon, 10/8/09, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Monday, 10 August, 2009, 7:10 PM From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat Is there any patch provided so that i can still use the same version 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: avoiding ssl vulnerabilities in tomcat
From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat As per the team, it is recommended to go for Tomcat 5 in our environment. Why would you waste your time with Tomcat 5? If you're going to upgrade from 4, move to the version that's being actively maintained - Tomcat 6.0.x. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: avoiding ssl vulnerabilities in tomcat
*** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. ---BeginMessage--- Just to clarify some things: This CVE only applies to the default SSL connector functionality. It doesn't apply to the APR/OpenSSL connector. Correct? Jeff -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, August 12, 2009 9:46 AM To: Tomcat Users List Subject: Re: avoiding ssl vulnerabilities in tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ---End Message--- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeff, (Strange... to me, your message looked like an attachment to the security notice that would typically be put at the end of a message. When I tried to reply to that, all the characters got all wonky. At least coy-paste still works :) On 8/12/2009 10:51 AM, Jeffrey Janner wrote: Just to clarify some things: This CVE only applies to the default SSL connector functionality. It doesn't apply to the APR/OpenSSL connector. Correct? I would guess not, since APR uses openssl which has its own default set of ciphers. On the other hand, Tomcat could override the default set of ciphers when configuring APR at runtime. I can't seem to find this bug listed in bugzilla for any version of Tomcat, so I can't see which commit fixed it (and whether it included connectors other than Coyote). I also looked at the release notes, but they don't include a changelog. The changelog itself for Tomcat 5.5 does not contain the text 1858. The only thing I can find in the changelog is this note under 5.5.17 which is listed as a fix without a bug number: Make the default cipher suites available for SSL the same as the set of cipher suites enabled by default rather than the set of all cipher suites. This prevents ciphers suites that do not provide confidentiality protection and/or server authentication being used by default. (markt) Tomcat 6.0 does not appear to suffer from this vulnerability, and there does not appear to be a changelog for Tomcat 4 (at least not easily accessible from the web site). Fortunately, GI/M/F: http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.40/RELEASE-NOTES-4.1.txt ...though I can't find anything in there :( - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC3BIACgkQ9CaO5/Lv0PDHsACgrKo9iE3r4dX/8nbbMFH1szRX AvQAni40g61cQnBe4oEmgd51SnICMZ3c =9m0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: avoiding ssl vulnerabilities in tomcat
Jeff- the first patch (for WEB-INF) was supposed to be fixed for 6.0.20 http://svn.apache.org/viewvc?view=revrevision=734734 after re-implementing your webapps to TC 6.0.20 please let us know if you have a corner case which is able to bypass this patch as this is an important patch feel free to ping me offline thanks, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Subject: RE: avoiding ssl vulnerabilities in tomcat Date: Wed, 12 Aug 2009 09:51:30 -0500 From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments. --Forwarded Message Attachment-- Subject: RE: avoiding ssl vulnerabilities in tomcat Date: Wed, 12 Aug 2009 09:51:30 -0500 From: jeffrey.jan...@polydyne.com To: users@tomcat.apache.org Just to clarify some things: This CVE only applies to the default SSL connector functionality. It doesn't apply to the APR/OpenSSL connector. Correct? Jeff -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, August 12, 2009 9:46 AM To: Tomcat Users List Subject: Re: avoiding ssl vulnerabilities in tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP
RE: avoiding ssl vulnerabilities in tomcat
Chris - (I just did a reply in Outlook and this is how it got packaged. Didn't look that way to me, but got it that way on the send-back. Either Exchange or my email filter - which adds the confidentialiy footer - did this.) I figured it was only with the regular. Just wanted a clarification in case some folks were thinking it applied to the native libraries (APR). I've noticed a lot of folks confuse the two on this list. Also it was a slight prompt to the original poster that perhaps he should install the native libraries when he does finally go to 6.x. IIRC, they are not available to 4.x. Jeff -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Jeff, (Strange... to me, your message looked like an attachment to the security notice that would typically be put at the end of a message. When I tried to reply to that, all the characters got all wonky. At least coy-paste still works :) On 8/12/2009 10:51 AM, Jeffrey Janner wrote: Just to clarify some things: This CVE only applies to the default SSL connector functionality. It doesn't apply to the APR/OpenSSL connector. Correct? I would guess not, since APR uses openssl which has its own default set of ciphers. On the other hand, Tomcat could override the default set of ciphers when configuring APR at runtime. *** NOTICE * This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply or by telephone (call us collect at 512-343-9100) and immediately delete this message and all its attachments.
Re: avoiding ssl vulnerabilities in tomcat
Hello all, A slight change. After discussions , the production team in SIngapore wants us to go for upgrade to 4.1.40 Comments from tomcat forum responses: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. Now i feel the vulnerability is fixed in this version. Now installing tomcat 4.1.40 what all changes will be required in my sevice.. no change in application? maybe installation and configuration changes will be needed? change needed in logging? should i stop the tomcat 4 service running and then install this new tomcat 4.1.40? Please help --- On Wed, 12/8/09, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, 12 August, 2009, 8:15 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org See the Web#39;s breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
Re: avoiding ssl vulnerabilities in tomcat
Hello all, As per Christopher response. 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. Can you please tell me what you mean by improving patch level. How should i install tomcat 4.1.40 on tomcat 4.1.24? is it sperate installation or patch? Please help me --- On Wed, 12/8/09, Christopher Schultz ch...@christopherschultz.net wrote: From: Christopher Schultz ch...@christopherschultz.net Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Wednesday, 12 August, 2009, 8:15 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: The issue is SSL vulnerability. from the responses, i understood that i need to upgrade to tomcat latest version. As per the team, it is recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says Security 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Looking for local information? Find it on Yahoo! Local http://in.local.yahoo.com/
RE: avoiding ssl vulnerabilities in tomcat
Hello all, OK i will upgrade. But what all changes required to update to tomcat 5. what all changes reuired to upgrade to tomcat 4.1.40 --- On Mon, 10/8/09, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Monday, 10 August, 2009, 7:10 PM From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat Is there any patch provided so that i can still use the same version 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: Hello all, OK i will upgrade. But what all changes required to update to tomcat 5. what all changes reuired to upgrade to tomcat 4.1.40 You may as well do the job properly and upgrade to 6.0.20. For you app? No changes should be required. For your Tomcat configuration? Start with the clean configuration provided with 6.0.20 and add any modifications you need. Be aware that the config has changed in particular: - the Logger element is no longer used - Resource configuration has changed See the docs for the details. Mark --- On Mon, 10/8/09, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Caldarale, Charles R chuck.caldar...@unisys.com Subject: RE: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Monday, 10 August, 2009, 7:10 PM From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat Is there any patch provided so that i can still use the same version 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello all, I found this issue form support team: THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack. IMPACT: An attacker can exploit this vulnerability to impersonate your server to clients. SOLUTION: Disable support for anonymous authentication Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties. Please help. regardsSunil C --- On Tue, 4/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 4 August, 2009, 9:39 PM sunil chandran wrote: Hello sir, I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4..CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) you should not be using the Factory element. Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? Maybe. 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. With clientAuth=false authentication will be controlled by your app's web.xml. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: Hello all, I found this issue form support team: THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack. IMPACT: An attacker can exploit this vulnerability to impersonate your server to clients. It would have saved a lot of time of you had quoted the CVE reference for this issue. It is CVE-2007-1858. SOLUTION: Disable support for anonymous authentication Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties. Please help. Again, *Tomcat 4 is no longer supported - you REALLY need to upgrade*. If you insist on continuing to use Tomcat 4 then as per http://tomcat.apache.org/security-4.html you need to upgrade to 4.1.32 or later to avoid this issue. Given that there are other, arguably more serious vulnerabilities, still present in 4.1.32 if you must stay on 4.1.x then you should upgrade to 4.1.40. Mark regardsSunil C --- On Tue, 4/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 4 August, 2009, 9:39 PM sunil chandran wrote: Hello sir, I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4..CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) you should not be using the Factory element. Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? Maybe. 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. With clientAuth=false authentication will be controlled by your app's web.xml. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello, I read the link. I found that my tomcat is 4.1.24 version. So i read that the issue is fixed in 4.1.32. Is there any patch provided so that i can still use the same version 4.1.24 itself. Is it must to upgrade? is there any patch to fix this? --- On Mon, 10/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Monday, 10 August, 2009, 3:37 PM sunil chandran wrote: Hello all, I found this issue form support team: THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack. IMPACT: An attacker can exploit this vulnerability to impersonate your server to clients. It would have saved a lot of time of you had quoted the CVE reference for this issue. It is CVE-2007-1858. SOLUTION: Disable support for anonymous authentication Please tell me what exactly i must do in tomcat 4 to avoid this ssl vulnerabilties. Please help. Again, *Tomcat 4 is no longer supported - you REALLY need to upgrade*. If you insist on continuing to use Tomcat 4 then as per http://tomcat.apache.org/security-4.html you need to upgrade to 4.1.32 or later to avoid this issue. Given that there are other, arguably more serious vulnerabilities, still present in 4.1.32 if you must stay on 4.1.x then you should upgrade to 4.1.40. Mark regardsSunil C --- On Tue, 4/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 4 August, 2009, 9:39 PM sunil chandran wrote: Hello sir, I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4..CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) you should not be using the Factory element. Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? Maybe. 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. With clientAuth=false authentication will be controlled by your app's web.xml. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Love Cricket? Check out live scores, photos, video highlights and more. Click here http://cricket.yahoo.com
RE: avoiding ssl vulnerabilities in tomcat
From: sunil chandran [mailto:sunilonweb2...@yahoo.co.in] Subject: Re: avoiding ssl vulnerabilities in tomcat Is there any patch provided so that i can still use the same version 4.1.24 itself. No, you *must* upgrade. Your reluctance to do so borders on the ridiculous. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
avoiding ssl vulnerabilities in tomcat
Hello all, there are some vulnerability existing on my server: SSL Server Allows Cleartext Communication Vulnerability soultion provided by the team was: SOLUTION: Disable support for anonymous authentication. SOLUTION: Disable ciphers which support cleartext communication. These vulnerabilities still exist on my server as the modifications done on the configuration file ssl.conf was meant for httpd service which is not being used in my server. Ports 443 8443 where the vulnerabilities were detected are used by the Tomcat service running on my server. Can someone help me identify the place in server.xml file to avoid these vulnerabilties. regards Sunil C See the Web#39;s breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: there are some vulnerability existing on my server: SSL Server Allows Cleartext Communication Vulnerability snip/ Can someone help me identify the place in server.xml file to avoid these vulnerabilties. You didn't say which Tomcat version so I am going to assume 6.0.20. Neither did you say which connector you are using. I am going to assume the default Java blocking IO connector. The info you require is in the docs. Take a look at the SSL section of this page: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
Hello sir, I am sorry. I am using tomcat 4 !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. please help me. regards Sunil C --- On Tue, 4/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 4 August, 2009, 2:42 PM sunil chandran wrote: there are some vulnerability existing on my server: SSL Server Allows Cleartext Communication Vulnerability snip/ Can someone help me identify the place in server.xml file to avoid these vulnerabilties. You didn't say which Tomcat version so I am going to assume 6.0.20. Neither did you say which connector you are using. I am going to assume the default Java blocking IO connector. The info you require is in the docs. Take a look at the SSL section of this page: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/
Re: avoiding ssl vulnerabilities in tomcat
Just to clarify, authentication to my mind means providing username/password credentials. There's nothing in the connector aside from maybe the clientAuth=false attribute that controls this. Setting that true would mean the client browser is required to send an authentication certificate during the initial handshake. Do you mean accessing without encryption or server certificate? If so, are there any other connectors configured? Can you offer any more specific information regarding what the support team found? --David sunil chandran wrote: Hello sir, I am sorry. I am using tomcat 4 !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. please help me. regards Sunil C --- On Tue, 4/8/09, Mark Thomas ma...@apache.org wrote: From: Mark Thomas ma...@apache.org Subject: Re: avoiding ssl vulnerabilities in tomcat To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, 4 August, 2009, 2:42 PM sunil chandran wrote: there are some vulnerability existing on my server: SSL Server Allows Cleartext Communication Vulnerability snip/ Can someone help me identify the place in server.xml file to avoid these vulnerabilties. You didn't say which Tomcat version so I am going to assume 6.0.20. Neither did you say which connector you are using. I am going to assume the default Java blocking IO connector. The info you require is in the docs. Take a look at the SSL section of this page: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8. http://downloads.yahoo.com/in/internetexplorer/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: avoiding ssl vulnerabilities in tomcat
sunil chandran wrote: Hello sir, I am sorry. I am using tomcat 4 Tomcat 4 is no longer supported. You *really* need to upgrade. !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=150 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Again, read the docs. If you must use Tomcat 4 (and that is a bad idea) you should not be using the Factory element. Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=.keystore keystorePass=mypass clientAuth=false protocol=TLS / /Connector this is the portion of server.xml. I have anabled ssl. still there is some vulnerabilities as informed by supprot team. They say that tomcat is configured to access without authentication. 1. is it true? Maybe. 2. How can we confirm if the tomcat SSL is configure using any algorithm to authenticate or “none”. With clientAuth=false authentication will be controlled by your app's web.xml. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
