tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Magosányi Árpád <m4g...@gmail.com>
Subject Re: Help requested to fix the tomcat vulnerability
Date Tue, 05 Nov 2019 18:43:36 GMT
Hi,

I suggest to follow this guide:
https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

On 11/5/19 2:29 PM, thulasiram k wrote:
> Hi,
>
> we have installed tomcat 7.0.94 on windows 2016 and no SSL enabled. But
> while qualys scan we found the below vulnerability. can you guide how can
> we fix it.
>
> 1)
> QID : 86763 - Web Server Uses Plain Text Basic Authentication
> Impact : Using Readable Clear Text can help eavesdropping and thereby
> compromise confidentiality.
> An attacker can successfully exploit this issue when the 401 error is
> returned when authentication is required. Also, an attacker can find out
> that the Basic Authentication scheme is used using the WWW-authenticate
> header.
>
> I can see requests are redirecting to 8443 from server.xml
>
> <Connector port="8080" protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> redirectPort="8443" />
> let me know if you have any suggestions.
>
> Thanks
> Ram
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message