tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hoehle, Joerg-Cyril" <>
Subject performing a security analsysis on the Tomcat software
Date Fri, 02 Dec 2005 11:38:07 GMT
Dear tomcat developers,

BSI, the german Federal Office for Information Security
 -- Bundesamt fur Sicherheit in der Informationstechnik, e-mail:
endorses the use of Open Source software and has
contracted T-Systems to perform a security check on Tomcat.

The Federal Office for Information Security (BSI) is the central IT
security service provider for the German government.  By our basic
research within the area of IT security we take responsibility for the
security of our society, and are thus indispensable to the internal
security of Germany.  Our services and products are aimed at the users
and manufacturers of information technology products. Those are
primarily the public administration at federal, state and municipal
level, in addition companies and private users. As Germanys National
Security Agency, it is our goal to promote IT security in Germany so
that everyone can make the most of the opportunities opened up by the
information society.

As part of its activities, BSI has contracted the security engineering
group at T-Systems International to perform security-related testing of
the open source Tomcat software.

These activities comprise the following:
+ installation & documentation checks,
+ a source code review of mod_jk and selected parts of Tomcat,
+ penetration testing.

BSI is going to make the results of the analysis publicly available on
internet, so people will be able to download the study from their site.

Please contact for any questions related to the
analysis, or feel free to mail me at

The analysis has already started. I think I owe you people an apology
for already having posted two bugreports (#37322 and #37332) prior to
this announcement of our activity to the mailing list.

We sincerely hope that our analysis will contribute to make Tomcat
even more robust and easy to deploy.  So far, we are very pleased
with what we see, which gives us a good impression of the software.

Our  goal is  to publish  to the  bugtracker individual  and separable
items which can be classified as bugs. We'll alert
for  any  serious security  vulnerabilities  we  find  (which is  what
Bugzilla recommends).  And  finally, I plan to send  a general summary
of findings to this mailing  list when we'll have finished. These will
be the  kind of findings and  remarks that do not  fit into individual
methods and modules but rather concern the software as a whole.

	Jorg Hohle.
Solution & Service Center Testfactory & Security
T-Systems International GmbH
Postal address: Deutsche-Telekom-Allee 7, 64295 Darmstadt
Tel. ++49 6151 937-6913

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message