RE: Security vulnerabilities with tomcat 9
Hi Sumit Please see my response below your question. -Original Message- From: Sumit Bhardwaj Sent: Saturday, July 20, 2019 8:48 AM To: Tomcat Users List Subject: Security vulnerabilities with tomcat 9 > Hi, > > We are using tomcat 9 and getting following two vulnerabilities in security > scans. > > Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain > The "HTTPOnly" Attribute (1) > > We have done things mentioned in > https://geekflare.com/secure-cookie-flag-in-tomcat/ > > > true > true > > > and also updating the *context.xml for *useHttpOnly="true" > It has not helped. > > We also tried updating our web application's web.xml with the cookie-config, > but it has also not helped. > > What else do we need to do? > > Best > Sumit We went through something similar during security scans. We are currently running Tomcat 8.5.x. Apache httpd manages the HTTPS, so TC does not use HTTPS in our config. Made 2 changes to our application's web/xml. Maybe it will work in TC 9.x also? 1. Inserted "web-app_3_1.xsd" into the web-app tag schemaLocation attribute: http://xmlns.jcp.org/xml/ns/javaee; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd; version="3.1" metadata-complete="true"> 2. Inserted cookie-config and http-only tags into the existing session-config tag below session-timeout: 15 true PLEASE NOTE: I am not an expert, but hopefully this information is correct enough to be useful. If not, I trust some of the real experts to correct any errancies. :-) ALSO, it may help them to help you if you answer their questions when they ask you for more details. ;-) Don't know about the true option. -- Cris Berneburg CACI Lead Software Engineer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security vulnerabilities with tomcat 9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sumit, On 7/20/19 08:47, Sumit Bhardwaj wrote: > Hi, > > We are using tomcat 9 and getting following two vulnerabilities in > security scans. > > Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not > Contain The "HTTPOnly" Attribute (1) Does the security scan tell you the NAME of the cookie(s) without these attributes? > We have done things mentioned in > https://geekflare.com/secure-cookie-flag-in-tomcat/ > > true true > > > and also updating the *context.xml for *useHttpOnly="true" It has > not helped. Nor surprising, since both of those are the default settings when using HTTPS. You *are* using HTTPS, right? > We also tried updating our web application's web.xml with the > cookie-config, but it has also not helped. > > What else do we need to do? Are you using a load-balancer? If so, what is the setup? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0zFYkACgkQHPApP6U8 pFjdcw//QclBk/X1qPXzUtG+5zR/V7WNaALYN+14mY2l14/yp4XJbMC3fCcO3RFe l3hhScjQU6lWmKECN6fB6tXcjHTds4wYCnVifVHa/cQI8cQ7FK5p755lzAybbw+G UzGqGNZ8IYVcGtLGHxwSTv7iKQ4PTynHaVO8rcC6hNXg6YfMsle6YuWxG8+HGkhn 6H0Lqk0bqgX5ZGsjw8bc2r8AgICQye7trpH6UIdIAHmYwzXtlle5r6orR2O7pVJp KvViPKuUinJOPcGbMV0wh2iQxLaWy8ZNiJy/YcHS+Z8A/M3kigrwigc+Lt3c9PYz wLBOPNoOmvK/4csdR0UA7iOYbTXZdsdSk19Rfh+CdC0Tb9rF7klVnLp/qFodEFBQ EdruM20y8MD0XRaYmPGx+gjr2CqR9htBttpV9QnGooBV9BNO78FVSGo9+sBrwEIr UBs8R/Qs9ozHt12S6rY+eF4yY2H9SZLZKYihg1DF3VcQiHahnKaprI3KYSVar2P3 0h7gDx7L/QBLCt09h/70ECSordtGGn2AXIKHCuIbakYxYB16s3poPY/pYZdoc9YN GovTKKyvN4nHGv34eF+hJd3gFMRIBINLl0B6gf9gOoYUmu0lM+2C9gNZPhOb2dIM VXI4hnfWly9+G+MzTv94jpcQnilhxmO4Rz+2XzWXKFB5eERbYho= =3xaO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security vulnerabilities with tomcat 9
If you have a load balancer you will need to add these attributes there as well... Sent from my T-Mobile 4G LTE Device Original message From: Sumit Bhardwaj Date: 7/20/19 8:52 AM (GMT-05:00) To: Tomcat Users List Subject: Security vulnerabilities with tomcat 9 Hi, We are using tomcat 9 and getting following two vulnerabilities in security scans. Cookie Does Not Contain The "secure" Attribute (1) Cookie Does Not Contain The "HTTPOnly" Attribute (1) We have done things mentioned in https://geekflare.com/secure-cookie-flag-in-tomcat/ true true and also updating the *context.xml for *useHttpOnly="true" It has not helped. We also tried updating our web application's web.xml with the cookie-config, but it has also not helped. What else do we need to do? Best Sumit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org