The VDT has learned of a new security flaw in Tomcat 5.0 and 5.5. We believe this flaw represents a very low security threat to VDT users. However, for administrators who wish to mitigate the apparently low risk, this email provides instructions for further securing a Tomcat 5.0 or 5.5 installation.
There is also a problem with MySQL 5. Because this only affects those installing the Gratia services (not the probes), and we believe that few if any people are installing them, we also consider this to be a low risk problem.
In the VDT, Apache always serves as a front-end to the Tomcat web application server. That is, Apache receives all HTTP(S) requests and passes some on to Tomcat (via mod_jk) for further handling. Tomcat ships with a variety of demo and administrative web applications that are enabled within Tomcat itself but not exposed by Apache. The exploit allows the extra web applications to be accessed via the Apache front end.
As best as we can tell, the extra exposure has no real consequence to default installations of the VDT. While it is true that the Tomcat admin and manager web applications can be accessed using this exploit, they are configured to allow access only to (Tomcat) users having certain roles and, by default, no users are assigned these roles. Thus, attackers can gain access only to a password-entry page in each application. The remaining web applications are demos or are not configured to perform any real actions and are thus deemed harmless.
For more information about the exploit itself, see:
Thanks for Horst Severini for pointing us at the exploit.
If you have Tomcat 5.0 or 5.5 installed from the VDT and you are concerned about the extra exposure that this exploit provides, you can simply remove the extra, unneeded web applications that ship with Tomcat.
vdt-control --off tomcat-5 vdt-control --off tomcat-55 <== if you use Gratia services (not probes)
$VDT_LOCATION/tomcat/v5/conf/Catalina/localhost/admin.xml $VDT_LOCATION/tomcat/v5/conf/Catalina/localhost/balancer.xml $VDT_LOCATION/tomcat/v5/conf/Catalina/localhost/manager.xml $VDT_LOCATION/tomcat/v5/server/webapps/admin/ $VDT_LOCATION/tomcat/v5/server/webapps/manager/ $VDT_LOCATION/tomcat/v5/webapps/ROOT/ $VDT_LOCATION/tomcat/v5/webapps/balancer/ $VDT_LOCATION/tomcat/v5/webapps/jsp-examples/ $VDT_LOCATION/tomcat/v5/webapps/servlets-examples/ $VDT_LOCATION/tomcat/v5/webapps/tomcat-docs/ $VDT_LOCATION/tomcat/v5/webapps/webdav/ $VDT_LOCATION/tomcat/v55/conf/Catalina/localhost/host-manager.xml $VDT_LOCATION/tomcat/v55/conf/Catalina/localhost/manager.xml $VDT_LOCATION/tomcat/v55/server/webapps/host-manager/ $VDT_LOCATION/tomcat/v55/server/webapps/manager/ $VDT_LOCATION/tomcat/v55/webapps/ROOT/ $VDT_LOCATION/tomcat/v55/webapps/balancer/ $VDT_LOCATION/tomcat/v55/webapps/jsp-examples/ $VDT_LOCATION/tomcat/v55/webapps/servlets-examples/ $VDT_LOCATION/tomcat/v55/webapps/tomcat-docs/ $VDT_LOCATION/tomcat/v55/webapps/webdav/
vdt-control --on tomcat-5 vdt-control --on tomcat-55 <== if you use Gratia services (not probes)
We cannot upgrade Tomcat 5.0 because there is no new version. However, we will do the following: