Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Heartbleed Vulnerability and Tomcat on WIndows

Posted on 2014-04-11
6
Medium Priority
?
132 Views
Last Modified: 2015-06-25
Hello Everyone,

By now I'm sure most of you have been running into the Heartbleed vulnerability. I am running a Windows 2008 Server R2 box with Tomcat and OpenSSL. I found that we are vulnerable by using site tests. Does anybody know how I can fix this vulnerability? Let me know of any additional info you may need. Below is a portion of my server.xml file. Also, since it's Tomcat doesn't Java do some funky things with it's massive memory dump file.. would that make us even vulnerable?

Tomcat Version: 5.5.26

Thanks!!

<Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
0
Comment
Question by:WindhamSD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 2000 total points
ID: 39993965
Update to the newest version of OpenSSL. It must be newer than version "1.0.1f". Also get new SSL certificates. Once that is done, and if your site's visitors need to input a password when they access the SSL site, tell them to change their password (or do something that forces a password change).
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39993970
Also you should make sure passwords meet security standards like minimium length, upper case, lower case, number and possibly a special character.

Hope this helps!
0
 

Author Comment

by:WindhamSD
ID: 39993974
Awesome! Thanks guys, didn't think it would be that easy. I will need to do this off hours but I will post with my findings.
0
 

Author Comment

by:WindhamSD
ID: 39994076
Hmm.. So looking further into this, it doesn't look like I am ussing OpenSSL or I guess in better terms, I do not have the openssl executable in my tomcat bin directory. Is it possible that I'm not using OpenSSL? This is an old server that was setup long before I was employed here so I'm sorry for not having these answers.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40850246
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question