?
Solved

Heartbleed Vulnerability and Tomcat on WIndows

Posted on 2014-04-11
6
Medium Priority
?
118 Views
Last Modified: 2015-06-25
Hello Everyone,

By now I'm sure most of you have been running into the Heartbleed vulnerability. I am running a Windows 2008 Server R2 box with Tomcat and OpenSSL. I found that we are vulnerable by using site tests. Does anybody know how I can fix this vulnerability? Let me know of any additional info you may need. Below is a portion of my server.xml file. Also, since it's Tomcat doesn't Java do some funky things with it's massive memory dump file.. would that make us even vulnerable?

Tomcat Version: 5.5.26

Thanks!!

<Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
0
Comment
Question by:WindhamSD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 2000 total points
ID: 39993965
Update to the newest version of OpenSSL. It must be newer than version "1.0.1f". Also get new SSL certificates. Once that is done, and if your site's visitors need to input a password when they access the SSL site, tell them to change their password (or do something that forces a password change).
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39993970
Also you should make sure passwords meet security standards like minimium length, upper case, lower case, number and possibly a special character.

Hope this helps!
0
 

Author Comment

by:WindhamSD
ID: 39993974
Awesome! Thanks guys, didn't think it would be that easy. I will need to do this off hours but I will post with my findings.
0
 

Author Comment

by:WindhamSD
ID: 39994076
Hmm.. So looking further into this, it doesn't look like I am ussing OpenSSL or I guess in better terms, I do not have the openssl executable in my tomcat bin directory. Is it possible that I'm not using OpenSSL? This is an old server that was setup long before I was employed here so I'm sorry for not having these answers.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40850246
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question