It's all about the answers!

Ask a question

McAfee Vulnerability Scan Report shows vulnerablities related to tomcat


Sajjad Ali Khan (31447) | asked Aug 08 '15, 6:58 a.m.
 Hi All. Our client had a McAfee Vulnerability Scan over the same machine where we deployed CLM, they have found following vulnerabilities related to the tomcat which is our application server:

1, Apache Tomcat Chunked Request Handling Vulnerability [FID 17880]

2, TLS/SSL RC4 Cipher Suites Information Disclosure Vulnerability [FID 18179]

3, Apache Tomcat Response Request Body Denial of Service [FID 18355]

4, Apache Tomcat Security Manager Bypass [FID 18384]

Please guide/suggest me how i can resolve above vulnerabilities, do i need to upgrade Tomcat if yes then to which version i need to upgrade as currently i have the tomcat which comes with the CLM 5.0.2 as a bundled. need your help over this urgently .

One answer



permanent link
Kevin Ramer (4.3k6156172) | answered Aug 08 '15, 9:11 a.m.
edited Aug 08 '15, 9:16 a.m.
 I would suggest upgrade to the latest available version of tomcat in the same release.  I.e. if Tomcat is 7.0.XX go to tomcat.apache.org, find the most recent package for your platform.  You cannot just drop the new version onto the existing one as the CLM setup will be lost.   Here's how I've upgraded Tomcat from the default provided in the CLM package:
  1. Stop the CLM application server ( tomcat )
  2. copy or move the tomcat/conf/server.xml, your certificate file and the tomcat/webapps directory to a location "above" the tomcat directory
  3. unpack the downloaded tomcat package in the <jazz_install>/server/ directory.  I think it will create a directory with apache-tomcat-Vers as the name.  Rename the old tomcat directory, then rename the new directory tomcat
  4. Move replace the tomcat/conf/server.xml with the one you saved, also move the certificate file to its original location.   Also put the webapps dir back under tomcat directory
I wrote the above from memory and it has been over one year since we used Tomcat.  Search this forum or the library for explicit instructions.

You can also search google for the exact phrases of all 4 of your entries and find references.  e.g.
https://tomcat.apache.org/security-7.html

The RC4 will not be fixed by any upgrade, rather one must exclude (delete) those ciphers in the tomcat/conf/server.xml file.  

I'm surprised the McAfee does not also provide a CVE reference which would give more precise descriptions/remediation of its findings.

Comments
Sajjad Ali Khan commented Aug 08 '15, 11:38 a.m. | edited Aug 08 '15, 6:26 p.m.

Dear Kevin Ramer,


Thanks a lot brother for giving me your suggestions will follow them.

No issue i will search for more accurate steps to upgrade Tomcat of CLM

Secondly, regarding RC4 could you please elaborate more like in the "Tomcat/conf/server.xml" file what exactly i need to delete ? what i can not delete ? just a bit more elaboration regarding this would be great for me as it would be first time will be deleting anything from server.xml and if i do anything wrong then it will become another issue for me


Donald Nong commented Aug 10 '15, 2:15 a.m.

To upgrade the Tomcat server, follow the steps in this technote.
http://www-01.ibm.com/support/docview.wss?uid=swg21687641

To exclude/delete the undesired ciphers, simple remove them in the server.xml file from the line similar to this one.

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
You need to remove the ones with "RC4" in the name.


Sajjad Ali Khan commented Sep 18 '15, 3:49 a.m. | edited Sep 20 '15, 8:58 p.m.

Dear Both Kevin Ramer & Donald Nong

We had a Appscan over the machine where we have deployed CLM and after running scan following are the vulnerabilities:

1, Browser Exploit Against SSL/TLS (a.k.a. BEAST) 1
2, Factoring RSA Export Keys (a.k.a. FREAK) 1
3,  Inadequate Account Lockout 1
4, Missing Secure Attribute in Encrypted Session (SSL) Cookie 1
5, RC4 cipher suites were detected 1
6, Session Identifier Not Updated 1
7, Weak SSL Cipher Suites are Supported

Can you guys have any knowledge about how we can fix these vulnerabilities ?


Donald Nong commented Sep 20 '15, 9:03 p.m.

These are almost the same vulnerabilities detected by McAfee and you should follow Kevin 's suggestions above. You should make yourself more familiar with security concepts to better handle such situation. For example, you should recognize that vulnerabilities are mainly concerning Tomcat. The below articles should be a good start.
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
https://www.owasp.org/index.php/Securing_tomcat
https://www.mulesoft.com/tcat/tomcat-security
http://geekflare.com/apache-tomcat-hardening-and-security-guide/

Your answer


Register or to post your answer.