Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

McAfee Vulnerability Scan Report shows vulnerablities related to tomcat

Questions
Tags
Users
Badges
Sajjad Ali Khan
(314152) Aug 08 '15, 6:58 a.m.
 Hi All. Our client had a McAfee Vulnerability Scan over the same machine where we deployed CLM, they have found following vulnerabilities related to the tomcat which is our application server:

1, Apache Tomcat Chunked Request Handling Vulnerability [FID 17880]

2, TLS/SSL RC4 Cipher Suites Information Disclosure Vulnerability [FID 18179]

3, Apache Tomcat Response Request Body Denial of Service [FID 18355]

4, Apache Tomcat Security Manager Bypass [FID 18384]

Please guide/suggest me how i can resolve above vulnerabilities, do i need to upgrade Tomcat if yes then to which version i need to upgrade as currently i have the tomcat which comes with the CLM 5.0.2 as a bundled. need your help over this urgently .

0 votes

1 answer
6,980 views
0 votes

One answer

Permanent link
Kevin Ramer
(4.5k9186201) edited
Aug 08 '15, 9:16 a.m.
 I would suggest upgrade to the latest available version of tomcat in the same release.  I.e. if Tomcat is 7.0.XX go to tomcat.apache.org, find the most recent package for your platform.  You cannot just drop the new version onto the existing one as the CLM setup will be lost.   Here's how I've upgraded Tomcat from the default provided in the CLM package:
  1. Stop the CLM application server ( tomcat )
  2. copy or move the tomcat/conf/server.xml, your certificate file and the tomcat/webapps directory to a location "above" the tomcat directory
  3. unpack the downloaded tomcat package in the <jazz_install>/server/ directory.  I think it will create a directory with apache-tomcat-Vers as the name.  Rename the old tomcat directory, then rename the new directory tomcat
  4. Move replace the tomcat/conf/server.xml with the one you saved, also move the certificate file to its original location.   Also put the webapps dir back under tomcat directory
I wrote the above from memory and it has been over one year since we used Tomcat.  Search this forum or the library for explicit instructions.

You can also search google for the exact phrases of all 4 of your entries and find references.  e.g.
https://tomcat.apache.org/security-7.html

The RC4 will not be fixed by any upgrade, rather one must exclude (delete) those ciphers in the tomcat/conf/server.xml file.  

I'm surprised the McAfee does not also provide a CVE reference which would give more precise descriptions/remediation of its findings.

2 votes

Comments
Sajjad Ali Khan
Aug 08 '15, 6:26 p.m.

Dear Kevin Ramer,


Thanks a lot brother for giving me your suggestions will follow them.

No issue i will search for more accurate steps to upgrade Tomcat of CLM

Secondly, regarding RC4 could you please elaborate more like in the "Tomcat/conf/server.xml" file what exactly i need to delete ? what i can not delete ? just a bit more elaboration regarding this would be great for me as it would be first time will be deleting anything from server.xml and if i do anything wrong then it will become another issue for me

Donald Nong
Aug 10 '15, 2:15 a.m.

To upgrade the Tomcat server, follow the steps in this technote.
http://www-01.ibm.com/support/docview.wss?uid=swg21687641

To exclude/delete the undesired ciphers, simple remove them in the server.xml file from the line similar to this one.

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
You need to remove the ones with "RC4" in the name.

Sajjad Ali Khan
Sep 20 '15, 8:58 p.m.

Dear Both Kevin Ramer & Donald Nong

We had a Appscan over the machine where we have deployed CLM and after running scan following are the vulnerabilities:

1, Browser Exploit Against SSL/TLS (a.k.a. BEAST) 1
2, Factoring RSA Export Keys (a.k.a. FREAK) 1
3,  Inadequate Account Lockout 1
4, Missing Secure Attribute in Encrypted Session (SSL) Cookie 1
5, RC4 cipher suites were detected 1
6, Session Identifier Not Updated 1
7, Weak SSL Cipher Suites are Supported

Can you guys have any knowledge about how we can fix these vulnerabilities ?

Donald Nong
Sep 20 '15, 9:03 p.m.

These are almost the same vulnerabilities detected by McAfee and you should follow Kevin 's suggestions above. You should make yourself more familiar with security concepts to better handle such situation. For example, you should recognize that vulnerabilities are mainly concerning Tomcat. The below articles should be a good start.
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
https://www.owasp.org/index.php/Securing_tomcat
https://www.mulesoft.com/tcat/tomcat-security
http://geekflare.com/apache-tomcat-hardening-and-security-guide/

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,495
× 1,700
× 382

Question asked: Aug 08 '15, 6:58 a.m.

Question was seen: 6,980 times

Last updated: Sep 20 '15, 9:03 p.m.

Confirmation Cancel Confirm