Our security audit is flagging the version of Apache Tomcat that OMSA 7.2 is using as being a vulnerability. The description is:
According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is earlier than Tomcat 7.0.32 and, therefore, may be affected by a security bypass vulnerability. An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow access to protected resources without a session identifier.
Has anyone else come across this and found a work around? Or does anyone know if/when the version of tomcat used by OMSA will be updated?
Our security tools are flagging multiple (4!) vulnerabilities in OMSA 7.2 as well. OMSA is using a woefully out of date version of Apache Tomcat, and the vulnerabilities are all apparently corrected in newer versions of Apache Tomcat:
The CVE links are as follows - the CSRF one that Daniel O posted about is vulnerability 3 below (CVE-2012-4431):
Vulnerability 1 - Apache Tomcat Security Bypass and Denial of Service Vulnerabilities:
Vulnerability 2 - Apache Tomcat NIO Connector Sendfile HTTPS Denial of Service:
Vulnerability 3 - Apache Tomcat CSRF Prevention Filter Security Bypass Vulnerability:
Vulnerability 4 - Apache Tomcat FormAuthenticator Component Security Bypass Vulnerability:
Bottom line - Dell... PLEASE update the bundled version of Apache Tomcat in OMSA to a newer version (at least 7.0.32) that corrects these security vulnerabilities!
We have also come across these vulnerabilities recently. But as no workaround is found yet, these reports are getting highlighted in the audits.
If anyone knows the wrok-around till Dell comes up with new version of Apache; pls let us know.
We managed to get the information we needed to manually resolve this, but we had to create a support ticket to make it happen... something like this should just be posted publicly, IMO - as it is a serious enough issue that everyone should know how to resolve. It worked for us - the vulnerabilities are remediated, and OMSA still works. Apparently they are going to use a more current Apache Tomcat in future OMSA releases.
So, here's my community contribution - the exact instructions on how to do it:
Upgrade Tomcat instructions for OMSA 7.1 or 7.2:
Just replacing of apache-tomcat folder with latest by retaining web.xml, server.xml and keystore.db files in apache-tomcat/conf folder will work. Taking the careful backup of apache-tomcat folder will help in reverting back.
Steps to follow:
Steps to revert back:
If connection service doesn’t start, it is required to revert back the setup.
Known issues: Version will not show up right on summary, about pages as well as on CLI commands.
I've also ran into this, Security team has uncovered this as an issue with Apache2 not tomcat.
I've ran through the steps listed above and this is still showing a vulnerability with Apache2
This is part of the report after running a new nessus scan after the work around listed in the above post.
55976 - Apache HTTP Server Byte Range DoS
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the vendor for a fix.
I'm not sure if this version of Apache was installed with previous version of OMSA. I have disabled the service, I am still able to see the server in OMSA and OME.
I have validated that the server is no longer listening on port tcp/8080.