See details - Apache Tomcat Security Handbook. Buy It Now. Add to cart. Sold by thrift. About this product Product Identifiers Publisher. Show More Show Less. Pre-owned Pre-owned. No ratings or reviews yet No ratings or reviews yet. Please note that the security mailing list should only be used for reporting undisclosed security vulnerabilities in Apache Tomcat and managing the process of fixing such vulnerabilities.
We cannot accept regular bug reports or other queries at this address. All mail sent to this address that does not relate to an undisclosed security problem in the Apache Tomcat source code will be ignored. If you need to report a bug that isn't an undisclosed security vulnerability, please use the bug reporting page. Please see the mailing lists page for details of how to subscribe. The private security mailing address is: security tomcat.
Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly. The following are 15 way to secure Apache Tomcat 8, out-of-the-box. This line of advice applies to most web server platforms. Web-related services should not be run by user accounts with a high level of administrative access. In Tomcat's case, a user with the minimum necessary OS permissions should be created exclusively to run the Tomcat process.
Most web server platforms also provide a set of sample or test web application for demo and learning purposes. These applications have been known to harbor vulnerabilities , and should be removed if not in use.
Tomcat's examples web application is an application that should be removed to prevent exploitation. This prevents malicious actors from shutting down Tomcat's web services. Either disable the shutdown port by setting the port attribute in the server.
If the port must be kept open, be sure to configure a strong password for shutdown. Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. This can be mitigated by disabling allowTrace in the server. If enabled, Tomcat will send information such as the Servlet and JSP specification versions and the full Tomcat version, among others. This gives attackers a workable starting point to craft an attack.
To prevent this information leakage, disable the xpoweredBy attribute in the server. An attacker can gain access to sensitive information such as passwords and browser cookies by exploiting this vulnerability; subsequently, SSL v3 and SSL in general should not be included in server. This is especially critical in hosted environments where other web applications sharing the same server resources cannot be trusted.
Tomcat's realms are designed differently and their limitations should be understood before use. This can be configured by setting the org. By doing this, you reduce the chance of a buggy application exposing data between requests. Listing the contents of directories with a large number of files can consume considerable system resources, and can therefore be used in a denial-of-service DoS attack. Setting listings to false under DefaultServlet mitigates this risk.
In general, logs should generated and maintained on all levels e. However, if not—be sure to set all the host attributes to false autoDeploy, deployOnStartup, and deployXML to prevent them from being compromised by an attacker. Tomcat Manager enables easy configuration and management of Tomcat instances through one web interface. Convenient, no doubt—for both authorized administrators and attackers.
Alternative methods for administering Tomcat instances are therefore better, but if Tomcat Manager must be used, be sure to use its configuration options to limit your risk exposure.
Connectors by default listen to all interfaces. For better security, they should only listen to those required by your web application and ignore the rest. This can be accomplished by setting the address attribute of the connector element. In short, Apache Tomcat's popularity invariably means that its vulnerabilities and exploits are well known by both security professionals and malicious actors alike.
Out-of-the-box security is never sufficient for protecting against today's cyber threats, and proper hardening of Tomcat is especially critical given the server platform's ubiquity. Looking for a way to perform these hardening checks and more, automatically—with just a few mouse clicks?
Check out ScriptRock's platform for vulnerability detection and security monitoring. It's free for up to 10 servers, so try it today on us. Get the complete guide on how to prioritize and remediate cyber risks. UpGuard BreachSight Monitor your business for data breaches and protect your customers' trust. UpGuard Vendor Risk Control third-party vendor risk and improve your cyber security posture.
0コメント