Solved

Heartbleed Vulnerability and Tomcat on WIndows

Posted on 2014-04-11
6
97 Views
Last Modified: 2015-06-25
Hello Everyone,

By now I'm sure most of you have been running into the Heartbleed vulnerability. I am running a Windows 2008 Server R2 box with Tomcat and OpenSSL. I found that we are vulnerable by using site tests. Does anybody know how I can fix this vulnerability? Let me know of any additional info you may need. Below is a portion of my server.xml file. Also, since it's Tomcat doesn't Java do some funky things with it's massive memory dump file.. would that make us even vulnerable?

Tomcat Version: 5.5.26

Thanks!!

<Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
0
Comment
Question by:WindhamSD
6 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 500 total points
ID: 39993965
Update to the newest version of OpenSSL. It must be newer than version "1.0.1f". Also get new SSL certificates. Once that is done, and if your site's visitors need to input a password when they access the SSL site, tell them to change their password (or do something that forces a password change).
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39993970
Also you should make sure passwords meet security standards like minimium length, upper case, lower case, number and possibly a special character.

Hope this helps!
0
 

Author Comment

by:WindhamSD
ID: 39993974
Awesome! Thanks guys, didn't think it would be that easy. I will need to do this off hours but I will post with my findings.
0
 

Author Comment

by:WindhamSD
ID: 39994076
Hmm.. So looking further into this, it doesn't look like I am ussing OpenSSL or I guess in better terms, I do not have the openssl executable in my tomcat bin directory. Is it possible that I'm not using OpenSSL? This is an old server that was setup long before I was employed here so I'm sorry for not having these answers.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40850246
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
RDS2012 vs RDS2008 4 38
maybe no no httpd.conf 6 47
Robocopy all drives in windows 2 29
SQL SERVER 2008 R2 Could not obtain information about Windows NT group/user 5 36
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question