Unsolved
This post is more than 5 years old
2 Posts
0
128008
OMSA 7.2 Tomcat version
Our security audit is flagging the version of Apache Tomcat that OMSA 7.2 is using as being a vulnerability. The description is:
According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is earlier than Tomcat 7.0.32 and, therefore, may be affected by a security bypass vulnerability. An error exists in the file 'filters/CsrfPreventionFilter.java' that can allow cross-site request forgery (CSRF) attacks to bypass the filtering. This can allow access to protected resources without a session identifier.
Has anyone else come across this and found a work around? Or does anyone know if/when the version of tomcat used by OMSA will be updated?
Thanks
EdgeDC
2 Posts
0
January 18th, 2013 14:00
Our security tools are flagging multiple (4!) vulnerabilities in OMSA 7.2 as well. OMSA is using a woefully out of date version of Apache Tomcat, and the vulnerabilities are all apparently corrected in newer versions of Apache Tomcat:
The CVE links are as follows - the CSRF one that Daniel O posted about is vulnerability 3 below (CVE-2012-4431):
Vulnerability 1 - Apache Tomcat Security Bypass and Denial of Service Vulnerabilities:
National Vulnerability Database (NVD) (CVE-2012-2733)
National Vulnerability Database (NVD) (CVE-2012-5885)
National Vulnerability Database (NVD) (CVE-2012-5886)
National Vulnerability Database (NVD) (CVE-2012-5887)
Vulnerability 2 - Apache Tomcat NIO Connector Sendfile HTTPS Denial of Service:
National Vulnerability Database (NVD) (CVE-2012-4534)
Vulnerability 3 - Apache Tomcat CSRF Prevention Filter Security Bypass Vulnerability:
National Vulnerability Database (NVD) (CVE-2012-4431)
Vulnerability 4 - Apache Tomcat FormAuthenticator Component Security Bypass Vulnerability:
National Vulnerability Database (NVD) (CVE-2012-3546)
Bottom line - Dell... PLEASE update the bundled version of Apache Tomcat in OMSA to a newer version (at least 7.0.32) that corrects these security vulnerabilities!
Thanks
Meera K
1 Message
0
February 13th, 2013 23:00
We have also come across these vulnerabilities recently. But as no workaround is found yet, these reports are getting highlighted in the audits.
If anyone knows the wrok-around till Dell comes up with new version of Apache; pls let us know.
EdgeDC
2 Posts
0
February 14th, 2013 08:00
We managed to get the information we needed to manually resolve this, but we had to create a support ticket to make it happen... something like this should just be posted publicly, IMO - as it is a serious enough issue that everyone should know how to resolve. It worked for us - the vulnerabilities are remediated, and OMSA still works. Apparently they are going to use a more current Apache Tomcat in future OMSA releases.
So, here's my community contribution - the exact instructions on how to do it:
Upgrade Tomcat instructions for OMSA 7.1 or 7.2:
Just replacing of apache-tomcat folder with latest by retaining web.xml, server.xml and keystore.db files in apache-tomcat/conf folder will work. Taking the careful backup of apache-tomcat folder will help in reverting back.
Steps to follow:
Steps to revert back:
If connection service doesn’t start, it is required to revert back the setup.
Known issues: Version will not show up right on summary, about pages as well as on CLI commands.
Daniel O
2 Posts
0
February 15th, 2013 15:00
Thanks for the work around EdgeDC, I will have to give this a try on Monday.
sohaibraja
1 Message
0
July 11th, 2013 12:00
Thanks for the steps, these helped me out :)
Vulnerability Management is very necessary and i think Dell systems are easy to use.
Ahdusammar1@kcoe52
2 Posts
0
July 12th, 2013 08:00
I'm not sure if this version of Apache was installed with previous version of OMSA. I have disabled the service, I am still able to see the server in OMSA and OME.
I have validated that the server is no longer listening on port tcp/8080.
kcoe52
2 Posts
0
July 12th, 2013 08:00
I've also ran into this, Security team has uncovered this as an issue with Apache2 not tomcat.
I've ran through the steps listed above and this is still showing a vulnerability with Apache2
This is part of the report after running a new nessus scan after the work around listed in the above post.
55976 - Apache HTTP Server Byte Range DoS
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the vendor for a fix.
dell-deepti
20 Posts
0
July 22nd, 2013 00:00
Hi,
OMSA 7.3 has been released and has Tomcat 7.0.39. Installing The latest OMSA will solve Most of the Vulnerabilities reported.