tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Coty Sutherland <csuth...@redhat.com>
Subject Re: More, Re: Question about vulnerability report
Date Mon, 08 Aug 2016 18:47:27 GMT
Vulnerability scanners are always iffy when it comes to finding actual
issues IMO. They're good for running a quick scan to get an overall
feel for weaknesses, but the effectiveness varies from tool to tool
(some only check versions, etc). I think that the best way to test if
you're vulnerable to POODLE is to try and connect via SSLv3, as you've
already done, or with s_client (openssl s_client -ssl3 -connect
$HOST:$PORT). If that fails to connect, then you're good. As far as
the TLS issues, TLSv1.0 is vulnerable to BEAST
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3389) so you
may want to consider disabling CBC ciphers, or even upgrading to java7
if that's causing your audit to fail.

On Mon, Aug 8, 2016 at 2:31 PM, James H. H. Lampert
<jamesl@touchtonecorp.com> wrote:
> Hmm. This is interesting.
>
> pentest-tools.com says that neither our server nor the customer server is
> vulnerable to POODLE.
>
> But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click "View
> Result") it says it isn't. Then (when I actually run the test again) it once
> again says it is. (I haven't tested the customer site because results are
> posted on the test home page, which would compromise the customer's
> privacy.)
>
> Some other POODLE test sites don't appear to work at all. Others say we're
> not vulerable.
>
> Manually testing both servers with
>>
>> curl -v3 -X HEAD https://www.example.com
>
> from a BASH session on my Mac, as per
> <http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerability/>
>
> comes back with the desired "failed handshake" message on both servers.
>
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message