Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Apache tomcat vulnerabilities

Posted on 2012-03-12
5
Medium Priority
?
395 Views
Last Modified: 2012-04-02
1) As a rough figure how often do Apach release security patches for Tomcat? I.e. per month, per week, how many?

2) And what tools can admins use to ensure that their apache is kept up to date? Do apache provide any free ones?

3) What would auditors look for when reviewing pacth management procedures for non MS software? For example if you did a scan and it said "apache out of date", they may apply a patch and then rescan and its gone, only for next week 5 more patches to come out and then its insecure again, and the process isnt managed.

4) So what demonstrates good patch management, i.e. what visually shows the auditor that this problem wont happen again?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 3

Author Comment

by:pma111
ID: 37709493
And should a vulnerability assessment/pen test identify "how things came to be so insecure", or is the va/pen test really just to show "this is how insecure how things are, here are the quick fixes, the strategy behind how these are prevented long term is your audit depts problem not us"?
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 2000 total points
ID: 37709789
Check the quick downloads section:
http://benchmarks.cisecurity.org/en-us/?route=default
0
 
LVL 3

Author Comment

by:pma111
ID: 37710190
Thanks for the benchmark, but I'd still appreciate replies in line with 1-5 posted above for future reference.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37719869
Did you even bother to look at the link and download one of the files from this site?

If you did then you'd see a whole lot more than just a 1-5 point.

Here is a snippet of one of the items in the Benchmarks

1.3.3 Lock the Apache User Account (Level 1, Scorable)
:Description
The user account under which Apache runs, should not have a valid password, but should be locked.

Rationale:
As a defense-in-depth measure the Apache user account should be locked to prevent logins, and to prevent a user from su-ing to apache using the password. In general, there shouldn’t
21 | P a g e
be a need for anyone to su as apache. If a need does exist, sudo should be used instead, which would not require the apache account password.

Remediation:
Use the passwd command to lock the apache account: # passwd -l apache

Audit:
Ensure the apache account is locked using the following:
# passwd -s apache
The results will be similar to the following:
apache LK 2010-01-28 0 99999 7 -1 (Password locked.)

Default Value:
The default user is daemon and is locked.

So you've got information to do the following
Describe your problems/issues
Rationale behind the recommendation
Remediation Actions to fix the problem
How to audit
Default values

If you apply the benchmark remediation correctly then you probably won't have many failed audit issues.
0
 
LVL 3

Author Comment

by:pma111
ID: 37723974
I did indeed and many thanks, but it would be useful to see how many on average security updates for apache are released per month, and I could find this information.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Check out what's been happening in the Experts Exchange community.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question