tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Percy <>
Subject RE: Tomcat Security Vulnerability
Date Fri, 06 Oct 2000 21:08:05 GMT
> But IMHO the real solution is to do use a firewall - and I strongly
> disagree it is a workaround. Heck - X11 does have 3-4 
> password-checking 
> mechanisms, but I don't think any decent network rely on this 
> and let 6000
> open. Same for NFS or SMB - again, both have built-in 
> security ( more or
> less ). 

Yes, but the reason for firewalling these ports is mainly to 1) hide your
services, and 2) defend against possible password-cracking attacks and the
like. This is surely a good idea for Tomcat, but it is imperative that any
bugs allowing a simple canned shot to bring down your server be stomped
immediately, and be recognized as critically serious... regardless of
whether that sweet(sour?) spot is behind a firewall.

> I'm all +1 for removing the shutdown option form mod_jserv or 
> to remove
> mod_jserv completely. 
> We have the start of an admin interface, it's easy to just 
> use it to stop
> tomcat. 

If we did this, we would need to re-document all of the examples, for one.
They are all written for Ajp11/Ajp12 and mod_jserv. And still, it seems like
75% of people who try with mod_jk, end up figuring out mod_jserv, and give
up on mod_jk... this is a problem that maybe just needs thorough
documentation to fix.

> Costin


View raw message