• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 145
  • Last Modified:

Heartbleed Vulnerability and Tomcat on WIndows

Hello Everyone,

By now I'm sure most of you have been running into the Heartbleed vulnerability. I am running a Windows 2008 Server R2 box with Tomcat and OpenSSL. I found that we are vulnerable by using site tests. Does anybody know how I can fix this vulnerability? Let me know of any additional info you may need. Below is a portion of my server.xml file. Also, since it's Tomcat doesn't Java do some funky things with it's massive memory dump file.. would that make us even vulnerable?

Tomcat Version: 5.5.26


<Connector port="443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
1 Solution
Update to the newest version of OpenSSL. It must be newer than version "1.0.1f". Also get new SSL certificates. Once that is done, and if your site's visitors need to input a password when they access the SSL site, tell them to change their password (or do something that forces a password change).
Tony GiangrecoCommented:
Also you should make sure passwords meet security standards like minimium length, upper case, lower case, number and possibly a special character.

Hope this helps!
WindhamSDAuthor Commented:
Awesome! Thanks guys, didn't think it would be that easy. I will need to do this off hours but I will post with my findings.
WindhamSDAuthor Commented:
Hmm.. So looking further into this, it doesn't look like I am ussing OpenSSL or I guess in better terms, I do not have the openssl executable in my tomcat bin directory. Is it possible that I'm not using OpenSSL? This is an old server that was setup long before I was employed here so I'm sorry for not having these answers.
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now