Security Vulnerability -Default files

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Vulnerability -Default files

Nitin Kadam
Hi Team,

The internal security team reported below as Security findings. We do not
have anyone from a Tomcat background and for same we need to know the best
steps to resolve this issue.

"Delete the default index page and remove the example JSP and servlets.
Follow the Tomcat or OWASP instructions to replace or modify the default
error page."

this is fiding from the Nessus tool, It would be great if someone helps
with steps to resolve.

APache tomcat version: 8.5.38
Operating system: Windows Server 2012 R2


--
Regards
Nitin Kadam
(9967688959)
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Robert Turner
Have a look at https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
. The documentation includes the recommendations made by your internal
security team, along with others.

You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest
security updates for Tomcat. (latest versions at time of writing)


If you are unsure how to delete the files as mentioned in your security
teams recommendations and the documentation, you have two approaches that I
can think of quickly:

1. Remove the files from the installation folder (by navigating to the
installed folder under program files, in "webapps" and removing the
files/folders).

2. Create a new CATALINA_BASE folder with only what you need, and
reconfigure the Windows service to use the new folder. (Use the Configure
Tomcat application shortcut, and change the "catalina.base" property passed
to Java when starting the service to point to your new folder with only the
things you need (start with a copy of the Tomcat installation folder,
remove "bin" and "lib" and the webapps/files you do not need.). This
approach avoids modifying the original installation files/folders.

You may also be able to modify the installation settings of the application
using Add or Remove Programs in Windows Control Panel to remove the example
applications if you'd prefer that approach instead of #1 above, but that
might require reinstalling Tomcat again.

Best of luck,

Robert


On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam <[hidden email]>
wrote:

> Hi Team,
>
> The internal security team reported below as Security findings. We do not
> have anyone from a Tomcat background and for same we need to know the best
> steps to resolve this issue.
>
> "Delete the default index page and remove the example JSP and servlets.
> Follow the Tomcat or OWASP instructions to replace or modify the default
> error page."
>
> this is fiding from the Nessus tool, It would be great if someone helps
> with steps to resolve.
>
> APache tomcat version: 8.5.38
> Operating system: Windows Server 2012 R2
>
>
> --
> Regards
> Nitin Kadam
> (9967688959)
>
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Christopher Schultz-2
In reply to this post by Nitin Kadam
Nitin,

On 1/21/21 09:17, Nitin Kadam wrote:

> The internal security team reported below as Security findings. We do not
> have anyone from a Tomcat background and for same we need to know the best
> steps to resolve this issue.
>
> "Delete the default index page and remove the example JSP and servlets.
> Follow the Tomcat or OWASP instructions to replace or modify the default
> error page."
>
> this is fiding from the Nessus tool, It would be great if someone helps
> with steps to resolve.

You might want to read-up on Nessus's description of this finding, as
well as these resources:

http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
http://tomcat.apache.org/presentations.html#latest-locking-down-tomcat

OWASP has some good resources, and though their Tomcat-specific content
is a little dated, it is all still relevant.

> APache tomcat version: 8.5.38

tldr; upgrade

This version of Tomcat is nearly 2 years old. There are published
vulnerabilities classified as "Important" by the Tomcat security team
which have been fixed since this version. I would strongly encourage you
to read the security reports[1] for Tomcat 8.x to determine if any of
them affect you.

> Operating system: Windows Server 2012 R2

While this version of Microsoft Windows is still supported (only if you
are paying for "extended support"!), you might want to look at a path
for migration to a move modern version.

-chris

[1] http://tomcat.apache.org/security-8.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Darryl Lewis-2
In reply to this post by Nitin Kadam
How do you run and support a server technology you know nothing about?
Someone must have built it, installed it, and support it.

On 22/1/21, 1:25 am, "Nitin Kadam" <[hidden email]> wrote:

    Hi Team,

    The internal security team reported below as Security findings. We do not
    have anyone from a Tomcat background and for same we need to know the best
    steps to resolve this issue.

    "Delete the default index page and remove the example JSP and servlets.
    Follow the Tomcat or OWASP instructions to replace or modify the default
    error page."

    this is fiding from the Nessus tool, It would be great if someone helps
    with steps to resolve.

    APache tomcat version: 8.5.38
    Operating system: Windows Server 2012 R2


    --
    Regards
    Nitin Kadam
    (9967688959)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Bill Stewart
In reply to this post by Nitin Kadam
On Thu, Jan 21, 2021 at 7:19 AM Nitin Kadam wrote:

> Hi Team,
>
> The internal security team reported below as Security findings. We do not
> have anyone from a Tomcat background and for same we need to know the best
> steps to resolve this issue.

I am thinking you might need to adjust your expectations regarding an
open-source software public mailing list.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Nitin Kadam
In reply to this post by Darryl Lewis-2
Hi Darryl - The person who builds this is no more with the organization and
in his absence, I have been asked to handle this, I am from a windows
administrator background.

We only have couple of web apps hosted so no frequent changes happened.

There

On Thu, Jan 21, 2021 at 8:49 PM Darryl Lewis <[hidden email]>
wrote:

> How do you run and support a server technology you know nothing about?
> Someone must have built it, installed it, and support it.
>
> On 22/1/21, 1:25 am, "Nitin Kadam" <[hidden email]> wrote:
>
>     Hi Team,
>
>     The internal security team reported below as Security findings. We do
> not
>     have anyone from a Tomcat background and for same we need to know the
> best
>     steps to resolve this issue.
>
>     "Delete the default index page and remove the example JSP and servlets.
>     Follow the Tomcat or OWASP instructions to replace or modify the
> default
>     error page."
>
>     this is fiding from the Nessus tool, It would be great if someone helps
>     with steps to resolve.
>
>     APache tomcat version: 8.5.38
>     Operating system: Windows Server 2012 R2
>
>
>     --
>     Regards
>     Nitin Kadam
>     (9967688959)
>
>

--
Regards
Nitin Kadam
(9967688959)
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Nitin Kadam
In reply to this post by Robert Turner
Thank you Robert for your reply.

If we upgrade the tomcat version from the current 8.5.38 to 8.5.61 will
this remediate the findings or still we need to delete these files as
suggested.

Also, is this upgrade is straightforward, or do we need to perform the same
with any specific steps, Please suggest.

I am from a Windows Administrator background and hence facing these
challenges, So expecting help from you and this group.

On Thu, Jan 21, 2021 at 8:06 PM Robert Turner <[hidden email]> wrote:

> Have a look at
> https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
> . The documentation includes the recommendations made by your internal
> security team, along with others.
>
> You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest
> security updates for Tomcat. (latest versions at time of writing)
>
>
> If you are unsure how to delete the files as mentioned in your security
> teams recommendations and the documentation, you have two approaches that I
> can think of quickly:
>
> 1. Remove the files from the installation folder (by navigating to the
> installed folder under program files, in "webapps" and removing the
> files/folders).
>
> 2. Create a new CATALINA_BASE folder with only what you need, and
> reconfigure the Windows service to use the new folder. (Use the Configure
> Tomcat application shortcut, and change the "catalina.base" property passed
> to Java when starting the service to point to your new folder with only the
> things you need (start with a copy of the Tomcat installation folder,
> remove "bin" and "lib" and the webapps/files you do not need.). This
> approach avoids modifying the original installation files/folders.
>
> You may also be able to modify the installation settings of the application
> using Add or Remove Programs in Windows Control Panel to remove the example
> applications if you'd prefer that approach instead of #1 above, but that
> might require reinstalling Tomcat again.
>
> Best of luck,
>
> Robert
>
>
> On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam <[hidden email]>
> wrote:
>
> > Hi Team,
> >
> > The internal security team reported below as Security findings. We do not
> > have anyone from a Tomcat background and for same we need to know the
> best
> > steps to resolve this issue.
> >
> > "Delete the default index page and remove the example JSP and servlets.
> > Follow the Tomcat or OWASP instructions to replace or modify the default
> > error page."
> >
> > this is fiding from the Nessus tool, It would be great if someone helps
> > with steps to resolve.
> >
> > APache tomcat version: 8.5.38
> > Operating system: Windows Server 2012 R2
> >
> >
> > --
> > Regards
> > Nitin Kadam
> > (9967688959)
> >
>


--
Regards
Nitin Kadam
(9967688959)
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Darryl Lewis-2
In reply to this post by Nitin Kadam
Then the organisation either needs to get in someone to replace the missing employee, train up a person, or stop using that application.
What happens if the server crashes? If there is a bug? You need to update certificates?
What happens if you had a security incident? The sever gets hacks and any records on it stolen. Who would handle that?

If your security team don't understand tomcat, they'll have no idea of how to respond as there is no SME.

On 22/1/21, 2:39 pm, "Nitin Kadam" <[hidden email]> wrote:

    Hi Darryl - The person who builds this is no more with the organization and
    in his absence, I have been asked to handle this, I am from a windows
    administrator background.

    We only have couple of web apps hosted so no frequent changes happened.

    There

    On Thu, Jan 21, 2021 at 8:49 PM Darryl Lewis <[hidden email]>
    wrote:

    > How do you run and support a server technology you know nothing about?
    > Someone must have built it, installed it, and support it.
    >
    > On 22/1/21, 1:25 am, "Nitin Kadam" <[hidden email]> wrote:
    >
    >     Hi Team,
    >
    >     The internal security team reported below as Security findings. We do
    > not
    >     have anyone from a Tomcat background and for same we need to know the
    > best
    >     steps to resolve this issue.
    >
    >     "Delete the default index page and remove the example JSP and servlets.
    >     Follow the Tomcat or OWASP instructions to replace or modify the
    > default
    >     error page."
    >
    >     this is fiding from the Nessus tool, It would be great if someone helps
    >     with steps to resolve.
    >
    >     APache tomcat version: 8.5.38
    >     Operating system: Windows Server 2012 R2
    >
    >
    >     --
    >     Regards
    >     Nitin Kadam
    >     (9967688959)
    >
    >

    --
    Regards
    Nitin Kadam
    (9967688959)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Robert Turner
In reply to this post by Nitin Kadam
Nitin,

Upgrading the Tomcat version will not remediate those specific findings
(they aren't Tomcat version related, but they are related to how the
installation was configured/installed) . Newer versions contain numerous
fixes, including a number of security fixes, that really should be applied
to the server if security is of any concern at all. I suggest you treat
upgrading as a separate activity from remediating the security team's
findings.

To remediate the findings, you will still need to remove the files as per
the security team's recommendations.

Removing the files is relatively straight-foward. (At this point, I
strongly suggest you have a backup in case of problems....)  Locate the
installation folder (typically C:\Program Files\Apache Software
Foundation\Tomcat 8.5\) and then delete the relevant files and folders from
the "webapps" folder. Be sure to remove only the undesired files, and be
careful modifying the "ROOT" application as you may have
unintentional side-effects if you aren't fully aware of how it is working
(it may interact with your application in some way -- or it may not). Also
be sure you know what each of the files or folders are for (i.e. your
application, etc).

For instance, removing the "docs" and "examples" can be done by removing
the following folders from the CATALINA_BASE folder:

  webapps\docs
  webapps\examples

Please note that if your installation already has a split CATALINA_BASE and
CATALINA_HOME, you will need to locate the CATALINA_BASE folder.
CATALINA_HOME will be the standard installation folder mentioned above. By
default CATALINA_BASE is the same as CATALINA_HOME on an out-of-the-box
Windows installation.


If I remember correctly, the Tomcat installation program (last I used it),
did not support retaining the service settings, or installing over top of
the existing service. As such, upgrading Tomcat on Windows first
requires removing the existing installation and uninstalling the service. I
thus strongly suggest transcribing all the settings from the "Configure
Tomcat" application, and taking a full copy of the installation folder as a
backup first. It's likely that all customizations have been made directly
in the installation folder, unless someone has configured a
separate CATALINA_BASE folder.


I strongly encourage you to experiment on a non-production system with
Tomcat and a basic web application so that you can get familiar with the
basic administration aspects of the system. Also, reading the documentation
on the web site would also probably be well worth your time if you are
going to be maintaining this system going forward. Exploring the existing
installation without changing anything (looking at the settings for the
service, and the location of files) would also be a really good idea (if
you haven't already done so).

If you do not have time however, I am sure you can find an
experienced consultant to address this in around 1-2 hours. It's not
difficult to remedy (or upgrade), but it does require some experience and
knowledge of how the system works, and how the individual server is set up
(but that can usually be discovered without too much trouble).



-- Splitting CATALINA_BASE and CATALINA_HOME and Upgrading Tomcat on
Windows --

I have linked below to a PDF [1] of a document one of my staff wrote some
time ago in preparation for "splitting" our installation to minimize
upgrade headaches and to upgrade the installed software. The document is
not 100% accurate (I know there are some errors), nor is it super-easy to
follow, but it will give you an idea of how to split the CATALINA_HOME and
CATALINE_BASE folders, and also how to upgrade Tomcat. This document
applies to migrating and upgrading _our_ past installation on Windows
Server 2008 R2, with Tomcat 8.5.x. _Your_ installation is bound to be
_different_, and you will need to examine the configuration of the Tomcat
service, as well as where files are installed (among other things) to be
sure you understand all the details before going ahead with any changes.

Hopefully this information will point you in the right general direction
and give you some idea of where to start looking if you want to split
CATALINA_BASE and CATALINA_HOME, and upgrade Tomcat to a newer version.

[1]
https://drive.google.com/file/d/1MHPsqgGCMSgoEWNvbZ0ImFX5gARxavaE/view?usp=sharing



-- Advice --

This section isn't trying to be confrontational, I'm just offering some
candid advice in response to the last part of your email. I hope you won't
take it in a negative way.

I don't think you should _expect_ help from this group or from me. I am
hoping that "expect" was an unfortunate choice of words. I know English
isn't everyone's first language, and words do not always translate very
well. Given that I suspect no-one is paid to respond to this group, if you
_expect_ detailed step-by-step guidance from the group, you might be
setting your expectations a bit high, and you may come away frustrated or
disappointed as a result.

To best benefit from this group, a person needs to put in a reasonable
amount of effort to try to learn how Tomcat works, and how their
installation is set up and working (or not working as the case may be).
Once that is achieved, it is easier for that person to then describe their
Tomcat installation, and pose specific questions about their problems, and
then, the group would likely be more able (and willing) to provide help to
solve them.

If, for whatever reason, you don't have enough time to learn how it works
and/or how your instance is set up, I strongly suggest looking for an
experienced _paid_ consultant to do the work for you. (I do not have any
suggestions on where to look for one though.)


Robert



On Thu, Jan 21, 2021 at 10:43 PM Nitin Kadam <[hidden email]>
wrote:

> Thank you Robert for your reply.
>
> If we upgrade the tomcat version from the current 8.5.38 to 8.5.61 will
> this remediate the findings or still we need to delete these files as
> suggested.
>
> Also, is this upgrade is straightforward, or do we need to perform the same
> with any specific steps, Please suggest.
>
> I am from a Windows Administrator background and hence facing these
> challenges, So expecting help from you and this group.
>
> On Thu, Jan 21, 2021 at 8:06 PM Robert Turner <[hidden email]>
> wrote:
>
> > Have a look at
> > https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
> > . The documentation includes the recommendations made by your internal
> > security team, along with others.
> >
> > You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest
> > security updates for Tomcat. (latest versions at time of writing)
> >
> >
> > If you are unsure how to delete the files as mentioned in your security
> > teams recommendations and the documentation, you have two approaches
> that I
> > can think of quickly:
> >
> > 1. Remove the files from the installation folder (by navigating to the
> > installed folder under program files, in "webapps" and removing the
> > files/folders).
> >
> > 2. Create a new CATALINA_BASE folder with only what you need, and
> > reconfigure the Windows service to use the new folder. (Use the Configure
> > Tomcat application shortcut, and change the "catalina.base" property
> passed
> > to Java when starting the service to point to your new folder with only
> the
> > things you need (start with a copy of the Tomcat installation folder,
> > remove "bin" and "lib" and the webapps/files you do not need.). This
> > approach avoids modifying the original installation files/folders.
> >
> > You may also be able to modify the installation settings of the
> application
> > using Add or Remove Programs in Windows Control Panel to remove the
> example
> > applications if you'd prefer that approach instead of #1 above, but that
> > might require reinstalling Tomcat again.
> >
> > Best of luck,
> >
> > Robert
> >
> >
> > On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam <[hidden email]>
> > wrote:
> >
> > > Hi Team,
> > >
> > > The internal security team reported below as Security findings. We do
> not
> > > have anyone from a Tomcat background and for same we need to know the
> > best
> > > steps to resolve this issue.
> > >
> > > "Delete the default index page and remove the example JSP and servlets.
> > > Follow the Tomcat or OWASP instructions to replace or modify the
> default
> > > error page."
> > >
> > > this is fiding from the Nessus tool, It would be great if someone helps
> > > with steps to resolve.
> > >
> > > APache tomcat version: 8.5.38
> > > Operating system: Windows Server 2012 R2
> > >
> > >
> > > --
> > > Regards
> > > Nitin Kadam
> > > (9967688959)
> > >
> >
>
>
> --
> Regards
> Nitin Kadam
> (9967688959)
>
Reply | Threaded
Open this post in threaded view
|

Re: Security Vulnerability -Default files

Bill Stewart
In reply to this post by Nitin Kadam
On Thu, Jan 21, 2021 at 8:43 PM Nitin Kadam wrote:

> I am from a Windows Administrator background and hence facing these
> challenges, So expecting help from you and this group.

"Expecting help from you and this group": This phrasing makes it sound
like you think you are entitled to something.

Please keep in mind that respondents on this list provide support for
free, and there is no service-level agreement.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Security Vulnerability -Default files

Christopher Schultz-2
Bill,

On 1/22/21 12:26, Bill Stewart wrote:

> On Thu, Jan 21, 2021 at 8:43 PM Nitin Kadam wrote:
>
>> I am from a Windows Administrator background and hence facing these
>> challenges, So expecting help from you and this group.
>
> "Expecting help from you and this group": This phrasing makes it sound
> like you think you are entitled to something.
>
> Please keep in mind that respondents on this list provide support for
> free, and there is no service-level agreement.

I think the OP is a non-native English speaker. I interpreted this to
mean "I'm hoping to get some help you you and this group."

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Security Vulnerability -Default files

Bill Stewart
On Fri, Jan 22, 2021 at 11:49 AM Christopher Schultz wrote:

> I think the OP is a non-native English speaker. I interpreted this to
> mean "I'm hoping to get some help you you and this group."

I appreciate the less-entitled potential interpretation.

Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]