You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Peter Kreuser <lo...@kreuser.name> on 2019/08/02 05:32:31 UTC
[slighly OT] Re: Apache Vulnerability - Understanding Connector
Protocols
Michael, Mark and Chris,
> Am 02.08.2019 um 01:40 schrieb Christopher Schultz <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Michael,
>
>>>> On 8/1/19 15:21, Michael Osipov wrote:
>>>> Am 2019-08-01 um 21:19 schrieb Mark Thomas:
>>>> On 01/08/2019 20:07, Justiniano, Tony wrote:
>>>> And that is what I was thinking, inadvertently, our scanning
>>>> tool just found the apache version during a scan and
>>>> corresponded it (the apache version) with a CVE.
>>>>
>>>> Do you concur?
>>>
>>> Sounds likely. Most low quality scanning tools only look at the
>>> version number.
>>
>> I was told the same security by obscurity nonsense by our ISEC
>> team.
Being the ISEC team(!), I‘d ask you to validate the finding and do your homework, patch (you do, right?) or reconfigure your system and if it is a false positive mark it as such. Done. So you are aware of the possible problems and you have assessed the risk: no http/2==0! (Well you don‘t enable it next week, of course?!)
I assume noone here would like a vuln scanner to exploit all issues and tear a system down. But of course there are stupid an better ones (Scanner and ISEC teams ;-)). Nevertheless the process of excluding false positives should be reasonable.
> The OP should just set their reported version number to Tomcat 4.3 and
> let it completely freak out.
Just for the test of it: great idea!
But one of the first hardening actions on Tomcat is to disable standard error pages and version info. Server header removed (set to IIS if you like!)
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
You reduce these findings and the info for the attackers.
Peter
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeFsACgkQHPApP6U8
> pFixVBAAtRtkVQipOISzRnd7eFUpKTgpZeENUvbJlCSrgiKu66IJx+1WDdO81zmj
> mAk+F2syOoZgThiB5icu6gISwcpJm4yWWQOb+QileSQtjvkhdgueiv1Hwla74fm3
> jz/FtFc+6xiYGSG07/O9RgJASeM7Dabo+UB7KCXrDpL2WxDw1hU8kWUYIpnR16Ub
> 1DlXtOcIlnFe5FLld4WR8VHO6kAjNJd25EvYNqpEOfkG2WpJwkhGsMyDHcom40AF
> H5b7nrtpAVi1kaiyWcGVGpyFqUjZfdXYHM9bDDn1dsAkMBiYNDg8tlMT8JtkzZK9
> ULKBwnEJdeKJ6PvVfSDpsRYkSCqVJJXS/5X5Wx41VhbrHxKvnywimHNNxB3bQbAn
> LW1rvsP1aD1GaDzBwP2DoUKVUeMqhnVGwM75/Dyi7UjVu79xhoQpnR5aNmtB+k5/
> Kasib1LdFvNpZTs/1UgoG/JjVOd6j8nDe0U44cC23eSYBnq8bsGuaCUmSgsNOvOF
> ykA/0cMoGNFw481GZhgggOfAA+l+4m+x8CDQrawlq5d5Hx/6dBDGSjUqo0XWSg0J
> zJmJxPVj0024aD0Lt+ZO3U9Z0qIQ8doc0AkKO6t5wFJGAWTccDMsQAQV4UejRBDt
> dXpJdvqmZ28yxoOK2PNs8Swo1dg1iFF1xgqtu254nWqlU3/3xV8=
> =z4EQ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>