You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/11/11 12:27:31 UTC
svn commit: r1540672 - in /tomcat/tc7.0.x/trunk: ./
webapps/docs/changelog.xml webapps/docs/security-howto.xml
Author: markt
Date: Mon Nov 11 11:27:30 2013
New Revision: 1540672
URL: http://svn.apache.org/r1540672
Log:
Add more detail to the security how-to
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1540670
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1540672&r1=1540671&r2=1540672&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 11 11:27:30 2013
@@ -217,6 +217,11 @@
the <code>CombinedRealm</code> and <code>LockOutRealm</code>. Patch by
Cédric Couralet. (markt)
</fix>
+ <add>
+ Expand the information on web applications that ship as part of Tomcat
+ in the security how-to section of the documentation web application.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Extras">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1540672&r1=1540671&r2=1540672&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Mon Nov 11 11:27:30 2013
@@ -72,10 +72,74 @@
</section>
<section name="Default web applications">
- <p>Tomcat ships with a number of web applications by default.
- Vulnerabilities have been discovered in these applications in the past.
- Applications that are not required should be removed so the system will not
- be at risk if another vulnerability is discovered.</p>
+
+ <subsection name="General">
+ <p>Tomcat ships with a number of web applications that are enabled by
+ default. Vulnerabilities have been discovered in these applications in the
+ past. Applications that are not required should be removed so the system
+ will not be at risk if another vulnerability is discovered.</p>
+ </subsection>
+
+ <subsection name="ROOT">
+ <p>The ROOT web application presents a very low security risk but it does
+ include the version of Tomcat that is being used. The ROOT web application
+ should normally be removed from a publicly accessible Tomcat instance, not
+ for security reasons, but so that a more appropriate default page is shown
+ to users.</p>
+ </subsection>
+
+ <subsection name="Documentation">
+ <p>The documentation web application presents a very low security risk but
+ it does identify the version of Tomcat that is being used. It should
+ normally be removed from a publicly accessible Tomcat instance.</p>
+ </subsection>
+
+ <subsection name="Examples">
+ <p>The examples web application should always be removed from any security
+ sensitive installation. While the examples web application does not
+ contain any known vulnerabilities, it is known to contain features
+ (particularly the cookie examples that display the contents of all
+ received and allow new cookies to be set) that may be used by an attacker
+ in conjunction with a vulnerability in another application deployed on the
+ Tomcat instance to obtain additional information that would otherwise be
+ unavailable.</p>
+ </subsection>
+
+ <subsection name="Manager">
+ <p>The Manager application allows the remote deployment of web
+ applications and is frequently targeted by attackers due to the widespread
+ use of weak passwords and publicly accessible Tomcat instances with the
+ Manager application enabled. The Manager application is not accessible by
+ default as no users are configured with the necessary access. If the
+ Manager application is enabled then guidance in the section
+ <strong>Securing Management Applications</strong> section should be
+ followed.</p>
+ </subsection>
+
+ <subsection name="Host Manager">
+ <p>The Host Manager application allows the creation and management of
+ virtual hosts - including the enabling of the Manager application for a
+ virtual host. The Host Manager application is not accessible by default a
+ no users are configured with the necessary access. If the Manager
+ application is enabled then guidance in the section <strong>Securing
+ Management Applications</strong> section should be followed.</p>
+ </subsection>
+
+ <subsection name="Securing Management Applications">
+ <p>When deploying a web application that provides management functions for
+ the Tomcat instance, the following guidelines should be followed:</p>
+ <ul>
+ <ol>Ensure that any users permitted to access the management application
+ have strong passwords.</ol>
+ <ol>Do not remove the use of the <a
+ href="config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm">LockOutRealm</a>
+ which prevents brute force attacks against user passwords.</ol>
+ <ol>Uncomment the <a href="config/valve.html#Remote_Address_Filter">RemoteAddrValve</a>
+ in <code>/META-INF/context.xml</code> which limits access to
+ localhost. If remote access is required, limit it to specific IP
+ addresses using this valve.</ol>
+ </ul>
+ </subsection>
</section>
<section name="Security manager">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1540672 - in /tomcat/tc7.0.x/trunk: ./
webapps/docs/changelog.xml webapps/docs/security-howto.xml
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/11/11 <ma...@apache.org>:
> Author: markt
> Date: Mon Nov 11 11:27:30 2013
> New Revision: 1540672
>
> URL: http://svn.apache.org/r1540672
> Log:
> Add more detail to the security how-to
>
> Modified:
> tomcat/tc7.0.x/trunk/ (props changed)
> tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
> tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
>
>
> Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
> URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1540672&r1=1540671&r2=1540672&view=diff
> ==============================================================================
> --- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
> +++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Mon Nov 11 11:27:30 2013
> @@ -72,10 +72,74 @@
> </section>
>
> <section name="Default web applications">
> - <p>Tomcat ships with a number of web applications by default.
> - Vulnerabilities have been discovered in these applications in the past.
> - Applications that are not required should be removed so the system will not
> - be at risk if another vulnerability is discovered.</p>
> +
> + <subsection name="General">
> + <p>Tomcat ships with a number of web applications that are enabled by
> + default. Vulnerabilities have been discovered in these applications in the
> + past. Applications that are not required should be removed so the system
> + will not be at risk if another vulnerability is discovered.</p>
> + </subsection>
> +
> + <subsection name="ROOT">
> + <p>The ROOT web application presents a very low security risk but it does
> + include the version of Tomcat that is being used. The ROOT web application
> + should normally be removed from a publicly accessible Tomcat instance, not
> + for security reasons, but so that a more appropriate default page is shown
> + to users.</p>
> + </subsection>
> +
> + <subsection name="Documentation">
> + <p>The documentation web application presents a very low security risk but
> + it does identify the version of Tomcat that is being used. It should
> + normally be removed from a publicly accessible Tomcat instance.</p>
> + </subsection>
> +
> + <subsection name="Examples">
> + <p>The examples web application should always be removed from any security
> + sensitive installation. While the examples web application does not
> + contain any known vulnerabilities, it is known to contain features
> + (particularly the cookie examples that display the contents of all
> + received and allow new cookies to be set) that may be used by an attacker
> + in conjunction with a vulnerability in another application deployed on the
> + Tomcat instance to obtain additional information that would otherwise be
> + unavailable.</p>
> + </subsection>
> +
> + <subsection name="Manager">
> + <p>The Manager application allows the remote deployment of web
> + applications and is frequently targeted by attackers due to the widespread
> + use of weak passwords and publicly accessible Tomcat instances with the
> + Manager application enabled. The Manager application is not accessible by
> + default as no users are configured with the necessary access. If the
> + Manager application is enabled then guidance in the section
> + <strong>Securing Management Applications</strong> section should be
> + followed.</p>
> + </subsection>
> +
> + <subsection name="Host Manager">
> + <p>The Host Manager application allows the creation and management of
> + virtual hosts - including the enabling of the Manager application for a
> + virtual host. The Host Manager application is not accessible by default a
> + no users are configured with the necessary access. If the Manager
> + application is enabled then guidance in the section <strong>Securing
> + Management Applications</strong> section should be followed.</p>
> + </subsection>
> +
> + <subsection name="Securing Management Applications">
> + <p>When deploying a web application that provides management functions for
> + the Tomcat instance, the following guidelines should be followed:</p>
> + <ul>
> + <ol>Ensure that any users permitted to access the management application
> + have strong passwords.</ol>
> + <ol>Do not remove the use of the <a
> + href="config/realm.html#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm">LockOutRealm</a>
> + which prevents brute force attacks against user passwords.</ol>
> + <ol>Uncomment the <a href="config/valve.html#Remote_Address_Filter">RemoteAddrValve</a>
> + in <code>/META-INF/context.xml</code> which limits access to
> + localhost. If remote access is required, limit it to specific IP
> + addresses using this valve.</ol>
> + </ul>
> + </subsection>
Good!
Several notes:
1) Re "no users are configured with the necessary access".
While the above is true, it is easy to configure such users if one is
not cautious.
If one either follows the Windows installation wizard and types in
name and password,
or follows some 3rd party installation guide that shows an example of
configuring tomcat-users.xml but does not mention the implications of
such configuration.
(E.g. some installation guide for MacOs that was mentioned recently).
2) The "manager-script", "manager-jmx", "admin-script" users do not
have CSRF protection.
The "manager-jmx" user is especially harmful.
"manager-gui", "manager-status", "admin-gui" should be OK.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org