tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan" <dan.chern...@gmail.com>
Subject RE: SSL Vulnerability in Tomcat and/or JVM?
Date Fri, 14 Sep 2012 14:59:29 GMT
I experienced this exact same issue with McAfee secure scan. If you are you
using JSSE as your provider you should be okay. You can submit this as a
false positive scan and let them know you are using JSSE instead of OpenSSL.


You can check to see which provider you are using by looking at your
connector. 

JSSE 
<Connector protocol="org.apache.coyote.http11.Http11Protocol"   port="443"
.../>

APR/OpenSSL
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="443"
.../>


Dan

-----Original Message-----
From: Brian Braun [mailto:brianbraun@gmail.com] 
Sent: Friday, September 14, 2012 1:06 AM
To: Tomcat Users List
Subject: SSL Vulnerability in Tomcat and/or JVM?

Hi,



In my site I'm using a certificate from www.securitymetrics.com. Today they
disabled my certificate. This is supposed to be the main reason:



Description: SSL/TLS Protocol Initialization Vector Implementation
Information Disclosure Vulnerability Synoposis: It may be possible to obtain
sensitive information from the remote host with SSL/TLS-enabled services.
Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic served
from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not
use CBC mode are not affected. This script tries to establish an SSL/TLS
remote connection using an affected SSL version and cipher suite, and then
solicits return data. If returned application data is not fragmented with an
empty or one-byte record, it is likely vulnerable.
OpenSSL uses empty fragments as a countermeasure unless the
'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is
initialized. Microsoft implemented one-byte fragments as a countermeasure,
and the setting can be controlled via the registry key H
KEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders
\\SCHANNEL\\SendExtraRecord <file://schannel/SendExtraRecord>. Therefore, if
multiple applications use the same SSL/TLS implementation, some may be
vulnerable while others may not, depending on whether or not a
countermeasure has been enabled. Note that this script detects the
vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does
not detect the BEAST attack where it exploits the vulnerability at HTTPS
client-side (i.e., Internet browser). The detection at server-side does not
necessarily mean your server is vulnerable to the BEAST attack because the
attack exploits the vulnerability at client-side, and both SSL/TLS clients
and servers can independently employ the split record countermeasure. See
also : http://www.openssl.org/~bodo/tls-cbc.txt
http://vnhacker.blogspot.com/2011/09/beast.html
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
http://support.microsoft.com/kb/2643584
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspxData
Received: Negotiated cipher suite: EDH-RSA-DES-
CBC3-SHA|SSLv3|Kx=DH|Au=RSA|Enc=3DES(168)|Mac=SHA1 Resolution: Configure
SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure
SSL/TLS servers to only support cipher suites that do not use block ciphers.
Apply patches if available. Note that additional configuration may be
required after the installation of the MS12-006 security update in order to
enable the split-record countermeasure. See
http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/
CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389



This is supposed to explain it further:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389


What should I do? Should I modify the parameters in my Tomcat Connector?
Should I upgrade my JVM? Should I upgrade Tomcat to a most recent version?
Should I use Windows instead of Linux? (I'm joking with the last one!)



Some information you may need to answer this:


- Linux Centos 5.8
- I'm using an SSL certificate from geotrust, a very current one (as far as
I know).

- JVM: 1.6.0_11-b03

- Tomcat 7.0.10 (Even though I disguised it as 7.0.25, actually so
securitymetrics don't bother me with some very obscure vulnerabilities that
would force me to update it otherwise)

- This is the relevant entry in my server.xml file:



    <Connector

        connectionTimeout="10000"

        enableLookups="true"

        port="8443"

        scheme="https"

        secure="true"

        clientAuth="false"

        keystoreFile="conf/certificate.kdb"

        minSpareThreads="4"

        maxThreads="1000"

        sslProtocol="SSLv3"


ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_
3DES_EDE_CBC_SHA"

        protocol="HTTP/1.1"

        SSLEnabled="true">

    </Connector>

Thanks in advance!


Brian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message