tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Apache Tomcat 5.5.34 Question (UNCLASSIFIED)
Date Thu, 29 Sep 2011 21:59:22 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Harold,
> 
> On 9/22/2011 11:51 AM, BARRON, HAROLD H CTR DISA EE wrote:
>> Classification:  UNCLASSIFIED
> 
> Thank god none of this is classified.
> 
>> I might have to write a plan of action to temporarily mitigate
>> this issue until the update is posted. I just want to be able to
>> present it in a way that my users that my users will not have a
>> problem understanding when I do.
> 
> Here's your plan:
> 
> "We're gonna set a pre-shared secret on both our web servers and our
> application servers and bounce everything. 

Addendum :
And then we're gonna make sure that the configuration files of Tomcat are given 
appropriate permissions so that only Tomcat and authorized users can browse said secret.
End of addendum.

Then the chances of this
> attack being carried-out are reduced to the key space of the secret.
> So, make-up a big long string of random characters and set:
> 
> workers.properties:
> worker.myWorker.secret=[super secret string]
> 
> server.xml:
> <Connector request.secret="[super secret string]" ...
> "
> 
> mod_jk has a 8192-character limit on each configuration line of
> workers.properties. The form of the directive is:
> 
> worker.[workerName].secret=[here goes the secret]
> 
> That means that you have (8192 - 15 - strlen(workerName)) characters
> for your shared secret. That's a big space to search.
> 
> This is not a terribly arduous technique to mitigate this attack.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk6E4yEACgkQ9CaO5/Lv0PDKkQCgjJoCQkxYOuodTu1/CAHYdGtD
> 3vkAoJ3k/mgmruwYSvVKPBBHzduEwmgI
> =Su3s
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message