Versions Compared

Old Version 22

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 23

changes.mady.by.user ASF Infrabot

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Mention CVE-2009-3548 in the "Record" section.

...

There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. There have been no documented cases of data loss or application crashes caused by an intruder. While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only theoretical vulnerabilities found. All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities.

That said,

  • There have been several reports of a compromise done via guess of the password of a user of the Manager web application.

There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).

Please see "Security considerations" pages in Tomcat documentation (linked below) for a reference on how access to Management Applications in Tomcat should be secured.

  • There have been several reports of compromises via vulnerabilities in 3-rd party web applications deployed on Tomcat. E.g. vulnerabilities in Apache Struts framework were a popular attack target several times in years 2013-2017. E.g. Equifax breach in year 2017. It is unknown whether Equifax has run their application on Tomcat, but there have been a number of similar compromise reports from Tomcat users. Those are not caused by a vulnerability in Tomcat.

Role of Customization

We believe, and the evidence suggests, that Tomcat is more than secure enough for most use-cases. However, like all other components of Tomcat, you can customize any and all of the relevant parts of the server to achieve even higher security. For example, the session manager implementation is pluggable, and even the default implementation has support for pluggable random number generators. If you have a special need that you feel is not met by Tomcat out of the box, consider these customization options. At the same time, please bring up your requirements on the user mailing list, where we'll be glad to discuss it and assist in your approach/design/implementation as needed.

It is also possible to configure Tomcat insecurely. Please see "Security considerations" pages in Tomcat documentation (linked below) for the list of security-sensitive options.

...