Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Tomcat and MySQL Vulnerabilities

Summary

Tomcat contains a information leakage vulnerability and MySQL 5 an SQL injection attack

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2007-03-22

Description

Introduction

The VDT has learned of a new security flaw in Tomcat 5.0 and 5.5. We believe this flaw represents a very low security threat to VDT users. However, for administrators who wish to mitigate the apparently low risk, this email provides instructions for further securing a Tomcat 5.0 or 5.5 installation.

There is also a problem with MySQL 5. Because this only affects those installing the Gratia services (not the probes), and we believe that few if any people are installing them, we also consider this to be a low risk problem.

Background

In the VDT, Apache always serves as a front-end to the Tomcat web application server. That is, Apache receives all HTTP(S) requests and passes some on to Tomcat (via mod_jk) for further handling. Tomcat ships with a variety of demo and administrative web applications that are enabled within Tomcat itself but not exposed by Apache. The exploit allows the extra web applications to be accessed via the Apache front end.

As best as we can tell, the extra exposure has no real consequence to default installations of the VDT. While it is true that the Tomcat admin and manager web applications can be accessed using this exploit, they are configured to allow access only to (Tomcat) users having certain roles and, by default, no users are assigned these roles. Thus, attackers can gain access only to a password-entry page in each application. The remaining web applications are demos or are not configured to perform any real actions and are thus deemed harmless.

For more information about the exploit itself, see:

Thanks for Horst Severini for pointing us at the exploit.

Solution

Immediate Mitigation

If you have Tomcat 5.0 or 5.5 installed from the VDT and you are concerned about the extra exposure that this exploit provides, you can simply remove the extra, unneeded web applications that ship with Tomcat.

Future Solutions

We cannot upgrade Tomcat 5.0 because there is no new version. However, we will do the following:

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.