Solved

Heartbleed Vulnerability and Tomcat on WIndows

Posted on 2014-04-11
6
100 Views
Last Modified: 2015-06-25
Hello Everyone,

By now I'm sure most of you have been running into the Heartbleed vulnerability. I am running a Windows 2008 Server R2 box with Tomcat and OpenSSL. I found that we are vulnerable by using site tests. Does anybody know how I can fix this vulnerability? Let me know of any additional info you may need. Below is a portion of my server.xml file. Also, since it's Tomcat doesn't Java do some funky things with it's massive memory dump file.. would that make us even vulnerable?

Tomcat Version: 5.5.26

Thanks!!

<Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
0
Comment
Question by:WindhamSD
6 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 500 total points
ID: 39993965
Update to the newest version of OpenSSL. It must be newer than version "1.0.1f". Also get new SSL certificates. Once that is done, and if your site's visitors need to input a password when they access the SSL site, tell them to change their password (or do something that forces a password change).
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39993970
Also you should make sure passwords meet security standards like minimium length, upper case, lower case, number and possibly a special character.

Hope this helps!
0
 

Author Comment

by:WindhamSD
ID: 39993974
Awesome! Thanks guys, didn't think it would be that easy. I will need to do this off hours but I will post with my findings.
0
 

Author Comment

by:WindhamSD
ID: 39994076
Hmm.. So looking further into this, it doesn't look like I am ussing OpenSSL or I guess in better terms, I do not have the openssl executable in my tomcat bin directory. Is it possible that I'm not using OpenSSL? This is an old server that was setup long before I was employed here so I'm sorry for not having these answers.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40850246
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
powershell script 9 67
LOGINSERVER and nltest /dsgetdc 3 41
Windows 2008 set profile 9 16
ACTIVE DIRECTORY, WINDOWS MODULE INSTALLER 4 17
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question