Preface
Wiki Markup |
---|
This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please let us know on |
the \[mailto:security@tomcat.apache.org security@tomcat.apache.org\] mailing list. |
The Record
Tomcat's security record is impeccable. There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. There have been no documented cases of data loss or application crashes caused by an intruder. While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only a few theoretical vulnerabilities found. All of those were addressed rapidly even though there were no documented cases of actual exploitation of these vulnerabilities.That said,
- There have been several reports of a compromise done via guess of the password of a user of the Manager web application.
There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).
Please see "Security considerations" pages in Tomcat documentation (linked below) for a reference on how access to Management Applications in Tomcat should be secured.
- There have been several reports of compromises via vulnerabilities in 3-rd party web applications deployed on Tomcat. E.g. vulnerabilities in Apache Struts framework were a popular attack target several times in years 2013-2017. E.g. Equifax breach in year 2017. It is unknown whether Equifax has run their application on Tomcat, but there have been a number of similar compromise reports from Tomcat users. Those are not caused by a vulnerability in Tomcat.
Role of Customization
We believe, and the evidence suggests, that Tomcat is more than secure enough for most use-cases. However, like all other components of Tomcat, you can customize any and all of the relevant parts of the server to achieve even higher security. For example, the session manager implementation is pluggable, and even the default implementation has support for pluggable random number generators. If you have a special need that you feel is not met by Tomcat out of the box, consider these customization options. At the same time, please bring up your requirements on the user mailing list, where we'll be glad to discuss it and assist in your approach/design/implementation as needed.
It is also possible to configure Tomcat insecurely. Please see "Security considerations" pages in Tomcat documentation (linked below) for the list of security-sensitive options.
Links
...
.
...
Questions
How do I use OpenSSL to set up my own Certificate Authority (CA)?
...
Wiki Markup |
---|
\[http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2 Using OpenSSL to set up your own CA\]. |
OH NO! PORT
Answers
...
How do I use OpenSSL to set up my own Certificate Authority (CA)?
Using OpenSSL to set up your own CA.
...
8005 is available for anyone on localhost to shutdown my tomcat!
See these 2 discussions.
Wiki Markup \[http://marc.theaimsgroup.com/?t=104396653200003&r=1&w=2 Possible to switch off tcp/ip server shutdown?\]
securityWiki Markup \[http://marc.theaimsgroup.com/?t=103126643200005&r=1&w=2 Tomcat shutdown &
security\] \\
Anchor
See these threads:
issuesWiki Markup \[http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 Tomcat as root and security
...
issues\] \\
- How
...
- to I force all my pages to run under HTTPS?*
Wiki Markup |
---|
\[http://marc.theaimsgroup.com/?l=tomcat-user&m=104951559722619&w=2 Use security-constraint in web.xml\]. |
- What is the default login for the manager and admin app?*
Wiki Markup |
---|
The admin and manager application do not provide a default login. Doing so |
is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml |
if you are using the default |
Note that there exists malware that tries to guess the manager password.
There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).
Anchor
install. \[http://tomcat.apache.org/tomcat-4.1-doc/manager-howto.html#Configuring%20Manager%20Application%20Access Configuring Manager Application Access\] |
- How do I restrict access by ip address or remote host?*
Wiki Markup |
---|
By using the {{RemoteHostValve}} or {{RemoteAddrValve}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to |
RemoteIpValve
. Valve Reference Link spoofing! \[http://tomcat.apache.org/tomcat-4.1-doc/config/valve.html Valve Reference Link\] |
Anchor
Wiki Markup |
---|
Fairly easily |
;) See the Setup page in the docs for your tomcat release, and read \[http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2 this mailing list post\] for a complete setup example with permissions etc. |
- Has Tomcat's security been independently analyzed or audited?*
Wiki Markup |
---|
Yes, by numerous organizations and individuals, many times. Try \[http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=is+tomcat+secure this Google search\] and you'll see many references, guides, and |
How do I change the Server header in the response?
In server.xml
- add a "server" attribute to the Connector element. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
...
Why are passwords in plain text?
We have a page dedicated to this topic. FAQ/Password
...
How can I restrict the list of ciphers used for HTTPS?
See HowTo SSLCiphers.
...
Is Tomcat vulnerable to Heartbleed bug?
See Security/Heartbleed.
...
Is Tomcat vulnerable to POODLE attack?
See Security/POODLE.
...
Which cipher suites should I use?
See Security/Ciphers.
analyses. |