Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Daniel O

2 Posts

127976

January 17th, 2013 07:00

OMSA 7.2 Tomcat version

Our security audit is flagging the version of Apache Tomcat that OMSA 7.2 is using as being a vulnerability.  The description is:

According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is earlier than Tomcat 7.0.32 and, therefore, may be affected by a security bypass vulnerability. 

 An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow access to protected resources without a session identifier. 

Has anyone else come across this and found a work around?  Or does anyone know if/when the version of tomcat used by OMSA will be updated?

Thanks

EdgeDC

2 Posts

January 18th, 2013 14:00

Our security tools are flagging multiple (4!) vulnerabilities in OMSA 7.2 as well.  OMSA is using a woefully out of date version of Apache Tomcat, and the vulnerabilities are all apparently corrected in newer versions of Apache Tomcat:

  • OMSA 7.2.0 uses Apache Tomcat 7.0.23.
  • The first version of Apache Tomcat that corrects all 4 of the vulnerabilities listed below is 7.0.32.
  • The LATEST version of Apache Tomcat as I write this is 7.0.35.

The CVE links are as follows - the CSRF one that Daniel O posted about is vulnerability 3 below (CVE-2012-4431):

Vulnerability 1 - Apache Tomcat Security Bypass and Denial of Service Vulnerabilities:

National Vulnerability Database (NVD) (CVE-2012-2733)

National Vulnerability Database (NVD) (CVE-2012-5885)

National Vulnerability Database (NVD) (CVE-2012-5886)

National Vulnerability Database (NVD) (CVE-2012-5887)

 

Vulnerability 2 - Apache Tomcat NIO Connector Sendfile HTTPS Denial of Service:

National Vulnerability Database (NVD) (CVE-2012-4534)

 

Vulnerability 3 - Apache Tomcat CSRF Prevention Filter Security Bypass Vulnerability:

National Vulnerability Database (NVD) (CVE-2012-4431)

 

Vulnerability 4 - Apache Tomcat FormAuthenticator Component Security Bypass Vulnerability:

National Vulnerability Database (NVD) (CVE-2012-3546)

 

Bottom line - Dell... PLEASE update the bundled version of Apache Tomcat in OMSA to a newer version (at least 7.0.32) that corrects these security vulnerabilities!

Thanks

Meera K

1 Message

February 13th, 2013 23:00

We have also come across these vulnerabilities recently. But as no workaround is found yet, these reports are getting highlighted in the audits.

If anyone knows the wrok-around till Dell comes up with new version of Apache; pls let us know.

 

EdgeDC

2 Posts

February 14th, 2013 08:00

We managed to get the information we needed to manually resolve this, but we had to create a support ticket to make it happen... something like this should just be posted publicly, IMO - as it is a serious enough issue that everyone should know how to resolve.  It worked for us - the vulnerabilities are remediated, and OMSA still works.  Apparently they are going to use a more current Apache Tomcat in future OMSA releases.

So, here's my community contribution - the exact instructions on how to do it:

Upgrade Tomcat instructions for OMSA 7.1 or 7.2:

Just replacing of apache-tomcat folder with latest by retaining web.xml, server.xml and keystore.db files in apache-tomcat/conf folder will work. Taking the careful backup of apache-tomcat folder will help in reverting back.

Steps to follow:

  1. Download required version of apache-tomcat from web (download zip or tar.gz core distribution only). Core distribution of tomcat works on all OS platforms. Unzip the file and rename it to “apache-tomcat”.
  2. Stop connection service.
  3. Rename apache-tomcat folder in installation folder to “apache-tomcat-7.0.23”.
  4. Copy the output (apache-tomcat folder) of step 1 to installation folder.
  5. Copy web.xml, kestore.db and server.xml files from /apache-tomcat-7.0.23 (backup folder) to “apache-tomcat/conf” folder.(Step of retaining the previous server configurations)
  6. Copy omsa folder from old tomcat webapps folder( /apache-tomcat-7.0.23/webapps) to new tomcat webapps( /apache-tomcat/webapps) folder.
  7. Start connection service.

 

Steps to revert back:

If connection service doesn’t start, it is required to revert back the setup.

  1. Rename “apache-tomcat” folder to “apache-tomcat-downloaded”.
  2. Rename “apache-tomcat-7.0.23” to “apache-tomcat”.
  3. Start connection service.

 

Known issues: Version will not show up right on summary, about pages as well as on CLI commands.  

Daniel O

2 Posts

February 15th, 2013 15:00

Thanks for the work around EdgeDC, I will have to give this a try on Monday.

sohaibraja

1 Message

July 11th, 2013 12:00

Thanks for the steps, these helped me out :)

 Vulnerability Management is very necessary and i think Dell systems are easy to use.

Ahdusammar1@

kcoe52

2 Posts

July 12th, 2013 08:00

I'm not sure if this version of Apache was installed with previous version of OMSA. I have disabled the service, I am still able to see the server in OMSA and OME.

I have validated that the server is no longer listening on port tcp/8080.

kcoe52

2 Posts

July 12th, 2013 08:00

I've also ran into this, Security team has uncovered this as an issue with Apache2 not tomcat.

I've ran through the steps listed above and this is still showing a vulnerability with Apache2

This is part of the report after running a new nessus scan after the work around listed in the above post.

55976 - Apache HTTP Server Byte Range DoS

Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression.

If the host is running a web server based on Apache httpd, contact the vendor for a fix.

dell-deepti

20 Posts

July 22nd, 2013 00:00

Hi,

OMSA 7.3 has been released and has Tomcat 7.0.39. Installing The latest OMSA will solve Most of the Vulnerabilities reported.

View More

View All

No Events found!

Top