Steve, it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. You definitely _should_ fix it, since data integrity can not be assured on your https connections any more.
I have little to no Windows experienc; but my understanding is, that while running Tomcat on Windows Server, it will make use of the SSL/TLS libraries provided by Windows. Means: the Openssl solution will not work your your. You would have to wait until MS provides a patch (some Windows guy should correct me on this if I'm mistaken). Meanwhile you should investigate if you can fix it by clever choosing the Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :) regards Jens Neu Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens....@biotronik.de "Steve G. Johnson" <johnson_stev...@solarturbines.com> 01/18/2010 05:04 PM Please respond to "Tomcat Users List" <users@tomcat.apache.org> To Tomcat Users List <users@tomcat.apache.org> cc Subject SSLv3/TLS man-in-middle vulnerability The local IT Security team ran an HP "Web Inspect" and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
