tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Neu <jens....@biotronik.com>
Subject Re: SSLv3/TLS man-in-middle vulnerability
Date Mon, 18 Jan 2010 16:37:56 GMT
Steve,

it is not a vulnerability of Tomcat, nevertheless it can be fixed by it. 
You definitely _should_ fix it, since data integrity can not be assured on 
your https connections any more.

I have little to no Windows experienc; but my understanding is, that while 
running Tomcat on Windows Server, it will make use of the SSL/TLS 
libraries provided by Windows. Means: the Openssl solution will not work 
your your.
You would have to wait until MS provides a patch (some Windows guy should 
correct me on this if I'm mistaken).

Meanwhile you should investigate if you can fix it by clever choosing the 
Tomcat Connector; maybe some Windows- Tomcat Expert jumps on it :)

regards

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu@biotronik.de



"Steve G. Johnson" <Johnson_Steve_G@solarturbines.com> 
01/18/2010 05:04 PM
Please respond to
"Tomcat Users List" <users@tomcat.apache.org>


To
Tomcat Users List <users@tomcat.apache.org>
cc

Subject
SSLv3/TLS man-in-middle vulnerability







The local IT Security team ran an HP "Web Inspect" and it showed a High
vulnerability for SSLv3/TLS known as CVE-2009-3555.
We are running JVM JRE 1.6.0._17 on the server.
You state on the http://tomcat.apache.org/security-5.html site at end of
page that this is not a vulnerability depending on a number of factors.
This is very unclear tor us.







www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message