tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim McNerney <>
Subject Re: Tomcat Security Vulnerability
Date Fri, 06 Oct 2000 22:48:54 GMT

> > Just a general note. Using a firewall to protect a port or using IP
> > filtering or changing the port number are not fixes to the security
> > problem. They are workarounds. Being able to shut down the server
> > remotely is a serious security hole and needs to be treated as such.
> Being able to shut down the server remotely is indeed a serious security
> hole.
> But IMHO the real solution is to do use a firewall - and I strongly
> disagree it is a workaround. Heck - X11 does have 3-4 password-checking

And I absolutely disagree that it is a real solution. I'm not
downplaying the importance of using a firewall. You use it because there
are vulnerabilities that are not known and it offers a good way of
limiting the range and scope of such vulnerabilities.

> mechanisms, but I don't think any decent network rely on this and let 6000
> open. Same for NFS or SMB - again, both have built-in security ( more or
> less ).

Yes. And if you knew that all were truly secure, you wouldn't need to
have a firewall. The problem is you can't know that they are secure and
in fact can be relatively sure that they aren't so you use a firewall to
help guard against the vulnerabilities you don't know of. To use a
firewall as a solution to a known vulnerability is only reasonable in
the short term, until one manages to fix it. At this point, everyone who
is running Tomcat and older without a firewall who doesn't read these
groups is at risk. Doing an IP check to insure that the command is from
localhost is a fix and that is already in the system. I just worry about
anyone who thinks that a firewall is a panacea and that all security
concerns are fixed with its installation.

> If anyone contribute code to do extra checks I think we would be happy to
> include it.
> I think it's a big mistake to assume anything is secure - including a
> firewall or multiple firewalls, but it's important to at least minimize
> the risks - and so far the best way is to use IP-level mechanisms wherever
> is possible. It's a well tested mechanism ( as oposed to any home-grown
> security mechanism ).

Absolutely. I'm not saying that one should get rid of one's firewall
once this issue is resolved. I don't think anything is all that secure.
Using a firewall is an important step in securing a system. But that
doesn't stop me from shutting down all non-used ports on the computer
itself, stopping all non-necessary services, removing unnecessary
accounts, using strong passwords or PKs and generally doing everything
to make sure that I've kept up with security patches for any machine I
harden. If you feel confident dropping a firewall in front of a network
of machines which all have empty passwords for root, go ahead.

> We have the start of an admin interface, it's easy to just use it to stop
> tomcat.

Which is the best longterm solution.

I'm not trying to attack anyone here and don't want to sound ungrateful
about the work being done or disrespectful of those doing it. I just get
very worked up about matters of security.


View raw message