-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 3/15/16 5:19 AM, Mark Thomas wrote: > This comes down to the threat scenarios in which Tomcat is intended > to be secure. A vulnerability is, essentially, when an attacker is > able to bypass that security in some way. > > Tomcat is not intended to be secure from attacks by malicious > local users if those local users have write access to any part of > the Tomcat installation. Precisely. This is why I was minimizing the impact of this threat. It's definitely something that ought to be addressed (by users -- there is a mitigation available), but it shouldn't be considered high-priority or urgent. > Tomcat is intended to be secure from running malicious web > applications (they should not be able to view data from other web > applications or access other data on the server Tomcat is running > on) providing a SecurityManager is used. Where it gets interesting > is that you cannot protect against a DoS attack by a malicious web > application - even when running under a SecurityManager. Of course. One of the features of a web server is that it's expected to, you know, serve content when a request is made ;) > It would probably be a "Good Thing" to document the scenarios in > which Tomcat is intended to be secure. I think they are reasonably > well understood by the Tomcat committers - maybe not so much by the > wider community. Or, more to the point, document the scenarios under which we think that security is /not/ achievable -- such as protecting config files beyond what the filesystem permissions can provide. In general, Tomcat should be fairly secure out of the box. I always think it's funny when people want to know about "Hardening Tomcat". It's pretty "hard" to begin with. Basically, if you want to harden a Tomcat installation, do whatever you would to harden anything: don't run as root/admin, lock-down file permissions, remove unnecessary applications, use TLS. Nothing really Tomcat-specific. The only thing that's potentially insecure in a stock Tomcat install is that the examples applications will deploy by default (unless you use separate CATALINA_HOME/CATALINA_BASE), and there could be a vulnerability hiding in the examples webapp. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlboPbgACgkQ9CaO5/Lv0PBCdgCfdCStn1my/zUuAUUPPBFcCovm lscAoLeNWXpp3Jy5nFFhJz7qfCmSHFoy =8xu9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
