tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adamus, Steven J." <STEVEN.J.ADA...@saic.com>
Subject RE: tomcat question
Date Mon, 22 Oct 2012 18:47:11 GMT
Maxie, 

You're probably referring to a DoD or similar security requirement. In
the Web Server STIG, Rule ID SV-2236r8 says, "Installation of compilers
on production web server is prohibited." The explanation provided is,
"The presence of a compiler on a production server facilitates the
malicious user's task of creating custom versions of programs and
installing Trojan Horses or viruses. For example, the attacker's code
can be uploaded and compiled on the server under attack." 

There are exceptions to this rule, The same STIG says, "This check does
not prohibit the use of the .Net Framework or the Java compiler for
Oracle", and "An exception is the Java Development Kit installed in
conjunction with a WebSphere service or Java Server Page (JSP)". 

You need to push back and tell your Security Auditors that the Java and
Jasper compilers are required for Tomcat. Provide any documentation they
require. 

Steve


-----Original Message-----
From: users-return-237320-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org
[mailto:users-return-237320-STEVEN.J.ADAMUS=saic.com@tomcat.apache.org]
On Behalf Of Wiley, Maxie
Sent: Monday, October 22, 2012 6:18 AM
To: users-subscribe@tomcat.apache.org; users@tomcat.apache.org
Subject: tomcat question

ALL,

Is it possible to remove an installation of a compiler on a production
web server(tomcat)? If there is a way to remove the compiler or is it
required in order for the system to function properly.  Could you please
send me a  precise summary of why and any steps that can be taken to
mitigate any potential risk associated with the compiler remaining in
place.This is for s security issue on my production system.


Thanks for your time and support!
Maxie Wiley III



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message