Daniel O
1 Copper

OMSA 7.2 Tomcat version

Our security audit is flagging the version of Apache Tomcat that OMSA 7.2 is using as being a vulnerability.  The description is:

According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is earlier than Tomcat 7.0.32 and, therefore, may be affected by a security bypass vulnerability. 

 An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow access to protected resources without a session identifier. 

Has anyone else come across this and found a work around?  Or does anyone know if/when the version of tomcat used by OMSA will be updated?

Thanks

Tags (1)
0 Kudos
8 Replies
EdgeDC
1 Copper

Re: OMSA 7.2 Tomcat version

Our security tools are flagging multiple (4!) vulnerabilities in OMSA 7.2 as well.  OMSA is using a woefully out of date version of Apache Tomcat, and the vulnerabilities are all apparently corrected in newer versions of Apache Tomcat:

  • OMSA 7.2.0 uses Apache Tomcat 7.0.23.
  • The first version of Apache Tomcat that corrects all 4 of the vulnerabilities listed below is 7.0.32.
  • The LATEST version of Apache Tomcat as I write this is 7.0.35.

The CVE links are as follows - the CSRF one that Daniel O posted about is vulnerability 3 below (CVE-2012-4431):

Vulnerability 1 - Apache Tomcat Security Bypass and Denial of Service Vulnerabilities:

National Vulnerability Database (NVD) (CVE-2012-2733)

National Vulnerability Database (NVD) (CVE-2012-5885)

National Vulnerability Database (NVD) (CVE-2012-5886)

National Vulnerability Database (NVD) (CVE-2012-5887)

 

Vulnerability 2 - Apache Tomcat NIO Connector Sendfile HTTPS Denial of Service:

National Vulnerability Database (NVD) (CVE-2012-4534)

 

Vulnerability 3 - Apache Tomcat CSRF Prevention Filter Security Bypass Vulnerability:

National Vulnerability Database (NVD) (CVE-2012-4431)

 

Vulnerability 4 - Apache Tomcat FormAuthenticator Component Security Bypass Vulnerability:

National Vulnerability Database (NVD) (CVE-2012-3546)

 

Bottom line - Dell... PLEASE update the bundled version of Apache Tomcat in OMSA to a newer version (at least 7.0.32) that corrects these security vulnerabilities!

Thanks

0 Kudos
Meera K
1 Copper

Re: OMSA 7.2 Tomcat version

We have also come across these vulnerabilities recently. But as no workaround is found yet, these reports are getting highlighted in the audits.

If anyone knows the wrok-around till Dell comes up with new version of Apache; pls let us know.

 

0 Kudos
EdgeDC
1 Copper

Re: OMSA 7.2 Tomcat version

We managed to get the information we needed to manually resolve this, but we had to create a support ticket to make it happen... something like this should just be posted publicly, IMO - as it is a serious enough issue that everyone should know how to resolve.  It worked for us - the vulnerabilities are remediated, and OMSA still works.  Apparently they are going to use a more current Apache Tomcat in future OMSA releases.

So, here's my community contribution - the exact instructions on how to do it:

Upgrade Tomcat instructions for OMSA 7.1 or 7.2:

Just replacing of apache-tomcat folder with latest by retaining web.xml, server.xml and keystore.db files in apache-tomcat/conf folder will work. Taking the careful backup of apache-tomcat folder will help in reverting back.

Steps to follow:

  1. Download required version of apache-tomcat from web (download zip or tar.gz core distribution only). Core distribution of tomcat works on all OS platforms. Unzip the file and rename it to “apache-tomcat”.
  2. Stop connection service.
  3. Rename apache-tomcat folder in installation folder to “apache-tomcat-7.0.23”.
  4. Copy the output (apache-tomcat folder) of step 1 to installation folder.
  5. Copy web.xml, kestore.db and server.xml files from <installed-directory>/apache-tomcat-7.0.23 (backup folder) to “apache-tomcat/conf” folder.(Step of retaining the previous server configurations)
  6. Copy omsa folder from old tomcat webapps folder(<installed-directory>/apache-tomcat-7.0.23/webapps) to new tomcat webapps(<installed-directory>/apache-tomcat/webapps) folder.
  7. Start connection service.

 

Steps to revert back:

If connection service doesn’t start, it is required to revert back the setup.

  1. Rename “apache-tomcat” folder to “apache-tomcat-downloaded”.
  2. Rename “apache-tomcat-7.0.23” to “apache-tomcat”.
  3. Start connection service.

 

Known issues: Version will not show up right on summary, about pages as well as on CLI commands.  

0 Kudos
Daniel O
1 Copper

Re: OMSA 7.2 Tomcat version

Thanks for the work around EdgeDC, I will have to give this a try on Monday.

0 Kudos
sohaibraja
1 Copper

Re: OMSA 7.2 Tomcat version

Thanks for the steps, these helped me out Smiley Happy

 Vulnerability Management is very necessary and i think Dell systems are easy to use.

Ahdusammar1@
0 Kudos
kcoe52
1 Copper

Re: OMSA 7.2 Tomcat version

I've also ran into this, Security team has uncovered this as an issue with Apache2 not tomcat.

I've ran through the steps listed above and this is still showing a vulnerability with Apache2

This is part of the report after running a new nessus scan after the work around listed in the above post.

55976 - Apache HTTP Server Byte Range DoS

Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression.

If the host is running a web server based on Apache httpd, contact the vendor for a fix.

0 Kudos
kcoe52
1 Copper

Re: OMSA 7.2 Tomcat version

I'm not sure if this version of Apache was installed with previous version of OMSA. I have disabled the service, I am still able to see the server in OMSA and OME.

I have validated that the server is no longer listening on port tcp/8080.

0 Kudos
dell-deepti
1 Nickel

Re: OMSA 7.2 Tomcat version

Hi,

OMSA 7.3 has been released and has Tomcat 7.0.39. Installing The latest OMSA will solve Most of the Vulnerabilities reported.

0 Kudos