tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve G. Johnson" <Johnson_Stev...@solarturbines.com>
Subject SSLv3/TLS man-in-middle vulnerability
Date Mon, 18 Jan 2010 16:03:26 GMT

We recently installed Tomcat 5.5.23 in Windows server to support the Infor
WebUI (webtop) application.
We installed a cerificate and are using SSl on port 8443. This all works
fine.

The local IT Security team ran an HP "Web Inspect" and it showed a High
vulnerability for SSLv3/TLS known as CVE-2009-3555.
We are running JVM JRE 1.6.0._17 on the server.
You state on the http://tomcat.apache.org/security-5.html site at end of
page that this is not a vulnerability depending on a number of factors.
This is very unclear tor us.

The Web Inspect product sated that this must be fixed as follows:
"
Patches must be applied to the underlying web server and ssl library.
OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz
Apache Mod-SSL Patch:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14
/CVE-2009-3555-2.2.patch
These patches may cause issues with sites that require renegotiation.
(Sites requiring public HTTPS access with certain folders
protected by client-side certificates)
"

What can we do to make the vulnerability shown in Web Inspect go away?

Thanks.




Steve Johnson (619) 237-8315 P Please consider the environment before
printing this e-mail.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message