Versions Compared

Old Version 28

changes.mady.by.user Konstantin Kolinko

Saved on

compared with

New Version 29

changes.mady.by.user Timothy Funk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added Log4Shell CVE-2021-44228

...

  1. How do I use OpenSSL to set up my own Certificate Authority (CA)?
  2. Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!
  3. What about Tomcat running as root?
  4. How do I force all my pages to run under HTTPS?
  5. What is the default login for the manager and admin app?
  6. How do I restrict access by ip address or remote host?
  7. How do I use jsvc/procrun to run Tomcat on port 80 securely?
  8. Has Tomcat's security been independently analyzed or audited?
  9. How do I change the Server header in the response?
  10. Why are passwords in plain text?
  11. How can I restrict the list of ciphers used for HTTPS?
  12. Which cipher suites should I use?
  13. Is Tomcat affect by Log4Shell CVE-2021-44228?

Answers

Anchor
Q1
Q1
How do I use OpenSSL to set up my own Certificate Authority (CA)?

...

Anchor
Q12
Q12
Which cipher suites should I use?

See Security/Ciphers.

Anchor
Q13
Q13
Is Tomcat affect by Log4Shell CVE-2021-44228?

Out of the box  - No.

But that doesn't prevent an application deployed to Tomcat from using log4j2. In which case, please use general guidance on various remediations. As of this writing, they include any of these 

  • Upgrading log4j2 to 2.15.0 (or better)
    • This is the best fix
  • Use system property log4j2.formatMsgNoLookups=true to disable message formatting
    • This is a reasonable workaround
  • Remove the following files from your jar file: log4j-core-2.XX.Y.jar  (This is a hack. A simple one but effective)
    • org/apache/logging/log4j/core/net/JndiManager$1.class
    • org/apache/logging/log4j/core/util/JndiCloser.class
    • org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class
    • org/apache/logging/log4j/core/lookup/JndiLookup.class
    • org/apache/logging/log4j/core/net/JndiManager.class
    • org/apache/logging/log4j/core/selector/JndiContextSelector.class
  • Ensuring your JRE is 1.8.121 or better. (This version doesn't fix the issue, it just eliminates one very easy to exploit attack vector.)
    • But these 2 system properties must also be set to false (or unset) com.sun.jndi.rmi.object.trustURLCodebase,com.sun.jndi.cosnaming.object.trustURLCodebase
    • Newer JVM's can still fall victim to this attack with the older log4j2. It is beyond the scope of this FAQ to explain how. But the TL;DR is it the exploit becomes more application or application server specific.