You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Chris Bradford <ch...@outlook.com> on 2017/05/25 19:27:38 UTC

Docker images scanned with OpenVAS :: NVT: Apache Tomcat servlet/JSP container default files

When using OpenVAS <http://www.openvas.org/> to scan a Docker host (Ubuntu 16.04 LTS) running the guacamole/guacd and guacamole/guacamole docker containers the vulnerability below is detected.


Whilst not overly concerning, I was just wondering if at next release this can be addressed, or am I missing something where I can do this myself at image pull/ run?


Thanks,


Chris


----------------------------------------------------------------------


NVT: Apache Tomcat servlet/JSP container default files
Config:
Family: Web Servers
OID:    1.3.6.1.4.1.25623.1.0.12085
Version:        $Revision: 4355 $


Summary

The Apache Tomcat servlet/JSP container has default files installed.

Vulnerability Scoring
CVSS base:
6.8

CVSS base vector:

Vulnerability Insight

Default files, such as documentation, default Servlets and JSPs were found on the Apache Tomcat servlet/JSP container.

Vulnerability Detection Method

Quality of Detection: remote_vul (99%)

Impact

These files should be removed as they may help an attacker to guess the exact version of the Apache Tomcat which is running on this host and may provide other useful information.

Solution

Solution type: [Mitigation]  Mitigation

Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.

Re: Docker images scanned with OpenVAS :: NVT: Apache Tomcat servlet/JSP container default files

Posted by Chris Bradford <ch...@outlook.com>.
>> If you think you've found an issue which has security implications, *please do not post it to the public lists*. Follow responsible disclosure practices [1] and contact us directly.

Considering what was reported I didn't figure it was a real concern. Had there been a genuine issue (i.e. beyond default files being contained within the container) I'd have done as above. Duly noted.


Sent from Nine<http://www.9folders.com/>
________________________________
From: Mike Jumper <mi...@guac-dev.org>
Sent: 25 May 2017 9:12 pm
To: user@guacamole.incubator.apache.org
Subject: Re: Docker images scanned with OpenVAS :: NVT: Apache Tomcat servlet/JSP container default files

Chris,

If you think you've found an issue which has security implications, *please do not post it to the public lists*. Follow responsible disclosure practices [1] and contact us directly.

Regarding the issue at hand, I agree it's not overly concerning that the Guacamole webapp image (which is based on the Tomcat image) contains the same default webapp present in the Tomcat image, and wouldn't really consider this a vulnerability. If you are concerned about the presence of the default webapp, you always remove it yourself by creating your own image based on our image. You are also welcome to make and contribute changes to the Dockerfile achieving this. Just follow our contribution guidelines:

https://github.com/apache/incubator-guacamole-client/blob/master/CONTRIBUTING

Thanks,

- Mike

[1] https://en.wikipedia.org/wiki/Responsible_disclosure


On Thu, May 25, 2017 at 12:27 PM, Chris Bradford <ch...@outlook.com>> wrote:

When using OpenVAS <http://www.openvas.org/> to scan a Docker host (Ubuntu 16.04 LTS) running the guacamole/guacd and guacamole/guacamole docker containers the vulnerability below is detected.


Whilst not overly concerning, I was just wondering if at next release this can be addressed, or am I missing something where I can do this myself at image pull/ run?


Thanks,


Chris


----------------------------------------------------------------------


NVT: Apache Tomcat servlet/JSP container default files
Config:
Family: Web Servers
OID:    1.3.6.1.4.1.25623.1.0.12085
Version:        $Revision: 4355 $


Summary

The Apache Tomcat servlet/JSP container has default files installed.

Vulnerability Scoring
CVSS base:
6.8

CVSS base vector:

Vulnerability Insight

Default files, such as documentation, default Servlets and JSPs were found on the Apache Tomcat servlet/JSP container.

Vulnerability Detection Method

Quality of Detection: remote_vul (99%)

Impact

These files should be removed as they may help an attacker to guess the exact version of the Apache Tomcat which is running on this host and may provide other useful information.

Solution

Solution type: [Mitigation]  Mitigation

Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.

Re: Docker images scanned with OpenVAS :: NVT: Apache Tomcat servlet/JSP container default files

Posted by Mike Jumper <mi...@guac-dev.org>.
Chris,

If you think you've found an issue which has security implications, *please
do not post it to the public lists*. Follow responsible disclosure
practices [1] and contact us directly.

Regarding the issue at hand, I agree it's not overly concerning that the
Guacamole webapp image (which is based on the Tomcat image) contains the
same default webapp present in the Tomcat image, and wouldn't really
consider this a vulnerability. If you are concerned about the presence of
the default webapp, you always remove it yourself by creating your own
image based on our image. You are also welcome to make and contribute
changes to the Dockerfile achieving this. Just follow our contribution
guidelines:

https://github.com/apache/incubator-guacamole-client/blob/master/CONTRIBUTING

Thanks,

- Mike

[1] https://en.wikipedia.org/wiki/Responsible_disclosure


On Thu, May 25, 2017 at 12:27 PM, Chris Bradford <chrismbradford@outlook.com
> wrote:

> When using OpenVAS <http://www.openvas.org/>to scan a Docker host (Ubuntu
> 16.04 LTS) running the guacamole/guacd and guacamole/guacamole docker
> containers the vulnerability below is detected.
>
>
> Whilst not overly concerning, I was just wondering if at next release
> this can be addressed, or am I missing something where I can do this
> myself at image pull/ run?
>
>
> Thanks,
>
>
> Chris
>
>
> ----------------------------------------------------------------------
>
>
> NVT: Apache Tomcat servlet/JSP container default files
> Config:
> Family: Web Servers
> OID: 1.3.6.1.4.1.25623.1.0.12085
> Version: $Revision: 4355 $
>
> Summary
>
> The Apache Tomcat servlet/JSP container has default files installed.
> Vulnerability Scoring
> CVSS base:
> 6.8
> CVSS base vector:
> Vulnerability Insight
>
> Default files, such as documentation, default Servlets and JSPs were found
> on the Apache Tomcat servlet/JSP container.
> Vulnerability Detection Method
>
> *Quality of Detection: *remote_vul (99%)
> Impact
>
> These files should be removed as they may help an attacker to guess the
> exact version of the Apache Tomcat which is running on this host and may
> provide other useful information.
> Solution
>
> *Solution type: *[image: Mitigation] Mitigation
>
> Remove default files, example JSPs and Servlets from the Tomcat
> Servlet/JSP container.
>
>