You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rahul Kumar Singh <ra...@nectechnologies.in> on 2015/03/27 14:42:07 UTC
SSL / TLS compression | SPDY service|CVE-2012-4929
Hello Tomcat support team,
Thanks for your continuous support.
Problem : Security issue | CVE-2012-4929
Overview:
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
The remote service has one of two configurations that are known to be
required for the CRIME attack:
- SSL / TLS compression is enabled.
The attack allows an attacker to reveal sensitive information that is being passed inside an encrypted SSL tunnel. The most straightforward way to leverage this vulnerability is to use it to retrieve cookies being passed by an application and use them to login to the application as the victim
The TLS protocol encrypts compressed data without properly obfuscating the length of the unencrypted data. Successful exploitation may result in a remote attacker conducting man-in-the-middle attacks.
According to our analysis seems:
(No SSL compression in IE, Firefox has disabled it from V15.0 in 2012 and already disbaled in latest version of chrome).- TLS advertises the SPDY protocol earlier than version 4.
Solution: Disable compression and / or the SPDY service.
So how to disable compression and / or the SPDY service in tomcat6.
Regards,
Rahul Kumar Singh
DISCLAIMER:
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and
intended
for the named recipient(s) only.
It shall not attach any liability on the originator or NEC or its
affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of NEC or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. .
-----------------------------------------------------------------------------------------------------------------------
Re: SSL / TLS compression | SPDY service|CVE-2012-4929
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ognjen,
On 3/27/15 11:04 AM, Ognjen Blagojevic wrote:
> On 27.3.2015 14:42, Rahul Kumar Singh wrote:
>> So how to disable compression and / or the SPDY service in
>> tomcat6.
>
> If you are using JSSE connectors (BIO/NIO/NIO2), compression is
> already disabled because JSSE does not support it, and there is no
> support for SPDY protocol on those connectors.
>
> If you are using APR/Native connector, if you didn't explicitly
> enabled it, SPDY is disabled by default. You may disable TLS
> compression using APR/Native connector parameter
> SSLDisableCompression="true".
+1
The Tomcat 6 documentation is a little less readable than the Tomcat 7
documentation. In Tomcat 7, the "HTTP Connector" page documents the
SSLDisableCompression configuration attribute, but in Tomcat 6, you
have to read the APR page:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVFXMgAAoJEBzwKT+lPKRYZswQAINjhC7fBtfYx0I92ZblEsKF
wGLT+SeEmMdH19rozRgpLRykbV8ozbJ0LI2eLbfZLIzkvl6e/xL5AJOdiAiaDurA
+WDat8tGOo9O4ElQV50iBJEHTL2n6opd9YN9ub3q0qkh7VhfHQoTKpdItinpgCfh
0oLmwd9smDNCucGIz/Q9DMqoVo2TDVH223hYgllxkVdxwXwQa2YM+ZLdc7R0DZ9s
bQmS24CBBzge6CfEPrYgPEkwAIHkbXvxY9T20sepA9GCE0TzQVFvoEPB8a2kqrsR
lrRmkl+o3cj2Fdl5XCPD+6SF/w4GFUK5qdKt0fMPxB95MTWh2zyEk6lz8YPFq16t
N37wdsvVUs1roMGyl3lVq5GNYHRH+d+jxQxP2pmx8wjOzQczTK1z4Z2nZ7bewJxt
T9VB+/9Y8HDTNF8/JPafEZ9N152DnL7TZCoObMOIOQgYAgK3L0HENM6HZ8TbKmT4
uPRxGQQDTGTAkhFmHFkCh3ECWop+J5qQ+PCZciAsFOwqLt16cV9GYgB3xkKwIIol
8q5FdWoQUt3eNMlGhTbLYaJ2yuCRiA++3IkbExlWg4o4YaWsDI0kCZBxa4JuRVjv
1BcJ9+as8gP+jNZV+2WAgcfMQeptlh3B/HDi5Xl77VqDkVI2ZVMdnx7RhthPW6W1
O1jWJM5mMlheaY7zIAos
=C3Tb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL / TLS compression | SPDY service|CVE-2012-4929
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rahul,
On 3/27/15 10:42 PM, Rahul Kumar Singh wrote:
> Ok I understand, Is it mentioned somewhere in tomcat spec. That it
> is not being used in JSSE connector.
>
> Based on the above answer my next question: If any browser is
> affected with this CVE , then what happen, e.g IE-11. If user tries
> to open the web application from IE-11 , then what happen.
If the server does not support TLS or SPDY compression, then it
doesn't matter what problems the client has.
I'm not sure if there's a way to disable SPDY compression, since it's
built-into the SPDY protocol.
- -chris
> ________________________________________ From: Ognjen Blagojevic
> [ognjen.d.blagojevic@gmail.com] Sent: Friday, March 27, 2015 8:34
> PM To: Tomcat Users List Subject: Re: SSL / TLS compression | SPDY
> service|CVE-2012-4929
>
> Rahul,
>
> On 27.3.2015 14:42, Rahul Kumar Singh wrote:
>> So how to disable compression and / or the SPDY service in
>> tomcat6.
>
> If you are using JSSE connectors (BIO/NIO/NIO2), compression is
> already disabled because JSSE does not support it, and there is no
> support for SPDY protocol on those connectors.
>
> If you are using APR/Native connector, if you didn't explicitly
> enabled it, SPDY is disabled by default. You may disable TLS
> compression using APR/Native connector parameter
> SSLDisableCompression="true".
>
> -Ognjen
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> DISCLAIMER:
> ----------------------------------------------------------------------
- -------------------------------------------------
>
>
The contents of this e-mail and any attachment(s) are confidential and
> intended for the named recipient(s) only. It shall not attach any
> liability on the originator or NEC or its affiliates. Any views or
> opinions presented in this email are solely those of the author and
> may not necessarily reflect the opinions of NEC or its affiliates.
> Any form of reproduction, dissemination, copying, disclosure,
> modification, distribution and / or publication of this message
> without the prior written consent of the author of this e-mail is
> strictly prohibited. If you have received this email in error
> please delete it and notify the sender immediately. .
> ----------------------------------------------------------------------
- -------------------------------------------------
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVFqWfAAoJEBzwKT+lPKRYj/AP+QHr0m5jgXin9ronjz4vYVTW
SrjNMmIfa5wB5CZJzumUd4w2f0iRxgfPT02r/bVCXICo9xKouCGrnmga+EACZaWO
n/d06kn2tGAOHqL7uXd4h4bJBtXfwa6Hxj9zXqnEwMpQ7sz73lOi/l0Y0rHp39vO
Htt69ymNhzJvoQ2Gbgk0a/pmcnv7SIF8i8UA8xWV3c6XAa0vg7gFrH8m7EwdXCqe
jfqOHw8olx35V88rREnbGVjiwJJTf3lzAqgxXCRT15WxYyiPb2sdtn9f/oj773aa
xtGKXbCekJSOAt4ukHfWiKe1K9JiXGmKtd1mVcMNYvGkjIvns/e2IiBhNsM+R2Rc
t4m/ueWLeLHRpYi7khYSipIa55ghrijfHxGKFdNYGWioEgvtEP2dBS+P9KIeEvjY
qKdPGyhZch0QuJBKcRdyIhfCHb8ZcLjAFJK8VX4D7uiWaaWI8Nao5oEcA+45owkX
scPUKe7BOvgkGqdoOqpClzWa430SycGZPdJWwK5yjosgTIUPx2tb99cizu9jX/7b
YtImcQ7lOg6Qh3BtAwyftvmw2mwGVruoa/LL0no4cR5BmN3RnuyahbIuZ/dL3d0y
NEsRbny5pRjDyI7TnO3DsX9MjxICRFOImSDpUJNLv5PGlFm+rz7z8NU5HHfxRGbU
zU2RT/2M2hfUy3HUkW50
=NejE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL / TLS compression | SPDY service|CVE-2012-4929
Posted by André Warnier <aw...@ice-sa.com>.
Rahul Kumar Singh wrote:
> Ok I understand,
> Is it mentioned somewhere in tomcat spec. That it is not being used in JSSE connector.
>
> Based on the above answer my next question:
> If any browser is affected with this CVE , then what happen, e.g IE-11.
> If user tries to open the web application from IE-11 , then what happen.
Why don't you try it yourself, and report here if there is a problem that you believe may
affect the Tomcat community ?
> ________________________________________
> From: Ognjen Blagojevic [ognjen.d.blagojevic@gmail.com]
> Sent: Friday, March 27, 2015 8:34 PM
> To: Tomcat Users List
> Subject: Re: SSL / TLS compression | SPDY service|CVE-2012-4929
>
> Rahul,
>
> On 27.3.2015 14:42, Rahul Kumar Singh wrote:
>> So how to disable compression and / or the SPDY service in tomcat6.
>
> If you are using JSSE connectors (BIO/NIO/NIO2), compression is already
> disabled because JSSE does not support it, and there is no support for
> SPDY protocol on those connectors.
>
> If you are using APR/Native connector, if you didn't explicitly enabled
> it, SPDY is disabled by default. You may disable TLS compression using
> APR/Native connector parameter SSLDisableCompression="true".
>
> -Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> DISCLAIMER:
> -----------------------------------------------------------------------------------------------------------------------
> The contents of this e-mail and any attachment(s) are confidential and
> intended
> for the named recipient(s) only.
> It shall not attach any liability on the originator or NEC or its
> affiliates. Any views or opinions presented in
> this email are solely those of the author and may not necessarily reflect the
> opinions of NEC or its affiliates.
> Any form of reproduction, dissemination, copying, disclosure, modification,
> distribution and / or publication of
> this message without the prior written consent of the author of this e-mail is
> strictly prohibited. If you have
> received this email in error please delete it and notify the sender
> immediately. .
> -----------------------------------------------------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL / TLS compression | SPDY service|CVE-2012-4929
Posted by Rahul Kumar Singh <ra...@nectechnologies.in>.
Ok I understand,
Is it mentioned somewhere in tomcat spec. That it is not being used in JSSE connector.
Based on the above answer my next question:
If any browser is affected with this CVE , then what happen, e.g IE-11.
If user tries to open the web application from IE-11 , then what happen.
________________________________________
From: Ognjen Blagojevic [ognjen.d.blagojevic@gmail.com]
Sent: Friday, March 27, 2015 8:34 PM
To: Tomcat Users List
Subject: Re: SSL / TLS compression | SPDY service|CVE-2012-4929
Rahul,
On 27.3.2015 14:42, Rahul Kumar Singh wrote:
> So how to disable compression and / or the SPDY service in tomcat6.
If you are using JSSE connectors (BIO/NIO/NIO2), compression is already
disabled because JSSE does not support it, and there is no support for
SPDY protocol on those connectors.
If you are using APR/Native connector, if you didn't explicitly enabled
it, SPDY is disabled by default. You may disable TLS compression using
APR/Native connector parameter SSLDisableCompression="true".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER:
-----------------------------------------------------------------------------------------------------------------------
The contents of this e-mail and any attachment(s) are confidential and
intended
for the named recipient(s) only.
It shall not attach any liability on the originator or NEC or its
affiliates. Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the
opinions of NEC or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is
strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. .
-----------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL / TLS compression | SPDY service|CVE-2012-4929
Posted by Ognjen Blagojevic <og...@gmail.com>.
Rahul,
On 27.3.2015 14:42, Rahul Kumar Singh wrote:
> So how to disable compression and / or the SPDY service in tomcat6.
If you are using JSSE connectors (BIO/NIO/NIO2), compression is already
disabled because JSSE does not support it, and there is no support for
SPDY protocol on those connectors.
If you are using APR/Native connector, if you didn't explicitly enabled
it, SPDY is disabled by default. You may disable TLS compression using
APR/Native connector parameter SSLDisableCompression="true".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org