Hello,
I am using Tomcat Version: apache-tomcat-7.0.50
OS: Red Hat Enterprise Linux Server release 6.5 (Santiago) 64bit
Issue: There were 2 vulnerabilities found and need to know if there are
configurations or patches available to resolve these.
1. Tomcat was configured to use SSL https. It was found that there is an
input validation vulnerability that exists.
The error is due to improper filtering of HTTP requests, which could allow
users to conduct request attacks.
In server.xml these are enabled:
...
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector SSLEnabled="true"
keystoreType="PKCS12"
acceptCount="100"
clientAuth="false"
connectionTimeout="60000" disableUploadTimeout="false"
enableLookups="false"
SSLCertificateFile="/pathto/CERT.crt"
SSLCertificateKeyFile="pathto/KEY.key"
SSLPassword="........"
SSLCertificateChainFile="/pathto/Root.crt"
keyAlias="......."
maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="5"
noCompressionUserAgents="gozilla, traviata" port="8443"
scheme="https" secure="true"
sslProtocol="TLSv1.2"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
...
To prevent and restrict user redirection of https pages, the following solution
was also added and thought this may resolve this vulnerability:
In /webapps/WEB-INF/web.xml - does this web.xml update verify remediation on
this vulnerability issue? Or is there another solution that I should use?
WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOrHTTP</web-resource-name>
<url-pattern>*.ico</url-pattern>
<url-pattern>/img/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
2. We are using Samba and NetBIOS Access through Tomcat to auto detect
Windows usernames internally, I am using the jcifs.jar in the Tomcat lib to do
this which to identifies the user's Windows username for a web application.
a. Is there a configuration we could use instead to remediate this
vulnerability reported in Tomcat 7?
b. Or would upgrading to Tomcat version 9 eliminate these 2
vulnerabilities ?
Example of what was found:
Vulnerability Title
Result
1. Apache Tomcat Input Validation Security Bypass Vulnerability
Apache Tomcat Input Validation Security Bypass Vulnerability detected on 8443
port.<title>Apache Tomcat/7.0.50 - Error report</title>Apache Tomcat Input
Validation Security Bypass Vulnerability detected on 8080 port.
2. Null Session/Password NetBIOS Access
Thanks for any information
________________________________
Larry Taylor
