tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject RE: Tomcat Security Vulnerability
Date Fri, 06 Oct 2000 22:13:34 GMT
Ok, let's sort this out:

1. Is this a problem in tomcat 3.2 ? If so, we must fix it, it's a huge
bug ( and I can't see where it happens - we do check for localhost ).

2. For 3.1 - I don't think we should make a 3.1.1 with a fix for this,
the solution is to upgrade to 3.2. As a temporary fix - either disable
mod_jserv / ajp12 or use an IP filtering solution.

3. In 3.3 - I'll just remove the exit and all "control" messages, and
leave the communication mechanism only for proxy-ing requests. The admin
interface will be used to stop tomcat and do any administrative tasks.
It's possible to automate this using HTTP requests with a password header.

Do you think this is an acceptable solution ? 



Costin



On Fri, 6 Oct 2000, Michael Percy wrote:

> > But IMHO the real solution is to do use a firewall - and I strongly
> > disagree it is a workaround. Heck - X11 does have 3-4 
> > password-checking 
> > mechanisms, but I don't think any decent network rely on this 
> > and let 6000
> > open. Same for NFS or SMB - again, both have built-in 
> > security ( more or
> > less ). 
> 
> Yes, but the reason for firewalling these ports is mainly to 1) hide your
> services, and 2) defend against possible password-cracking attacks and the
> like. This is surely a good idea for Tomcat, but it is imperative that any
> bugs allowing a simple canned shot to bring down your server be stomped
> immediately, and be recognized as critically serious... regardless of
> whether that sweet(sour?) spot is behind a firewall.
> 
> > I'm all +1 for removing the shutdown option form mod_jserv or 
> > to remove
> > mod_jserv completely. 
> > 
> > We have the start of an admin interface, it's easy to just 
> > use it to stop
> > tomcat. 
> 
> If we did this, we would need to re-document all of the examples, for one.
> They are all written for Ajp11/Ajp12 and mod_jserv. And still, it seems like
> 75% of people who try with mod_jk, end up figuring out mod_jserv, and give
> up on mod_jk... this is a problem that maybe just needs thorough
> documentation to fix.
> 
> > 
> > Costin
> 
> 
> Regards,
> Mike
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 


Mime
View raw message