Solved

Workaround / mitigation for CVE2011-3190

Posted on 2014-10-28
11
171 Views
Last Modified: 2014-11-04
Both network & endpoint IPS vendors told us they don't have a signature
for this Tomcat CVE2011-3190  yet : been a while.

a) is there any workaround from the OS vendor (Redhat & MS) to
    mitigate this?

b) any other mitigation other than shutting down the Tomcat?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 9

Assisted Solution

by:Ashok Dewan
Ashok Dewan earned 150 total points
ID: 40408043
Hi,
You haven't mentioned the version which being is used now. But, there are certain versions which are affected by above vulnerability. So, you can use latest version i.e. 7.0.55 , 7.0.56 are not affected.

List of versions which are affected
http://www.cvedetails.com/cve/CVE-2011-3190/
Best to update
0
 

Author Comment

by:sunhux
ID: 40408072
We can certainly upgrade this high risk "Apache Tomcat: AJP Message Injection Authentication Bypass" vulnerability  to version 6.0.40, 7.0.54, 8.0.6 or later of Apache Tomcat but this is going to take a while & not preferred as it will take
some amount of testing
0
 

Author Comment

by:sunhux
ID: 40408074
OUr current version is 5.5.27 ;  will updating to 5.5.34 post a low
risk of breaking the apps & is Ver 5.5.34 break anything or the app?
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 

Author Comment

by:sunhux
ID: 40408080
Slight typo:

will updating to Ver 5.5.34 pose no or low risk of breaking the apps &
where can I download Ver 5.5.34 if it's still available somewhere (hope
it's not been removed) ?
0
 

Author Comment

by:sunhux
ID: 40408099
In our case, it's running on RHEL 5.x VMs
0
 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 40411603
Here is http://olex.openlogic.com/packages/tomcat/5.5.34
I believe you might have checked this site already. right ?
0
 

Author Comment

by:sunhux
ID: 40412854
Not yet, thanks.

Last question:
small update to 5.5.34 is less risky than a major jump to Ver 7.x ?
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 40416887
Watching the Red Hat, consider the mitigation instead of shutting down. The severity is still moderate / medium but still need to be patched esp since it is such old vul. https://bugzilla.redhat.com/show_bug.cgi?id=734868

Users of affected versions should apply one of the following mitigation:
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute
e.g. tomcat5/6 -   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).

- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x)
e.g. (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E5BEDE0.8010604@apache.org%3E

Listed are advisory available in list for this CVE http://packetstormsecurity.com/files/cve/CVE-2011-3190
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 100 total points
ID: 40417312
There is about 50+ serious secuirty holes in Tomcar 5.5 alone, not counting that it does not run on Java 7 or 8
So you have to migrate (actually had to years ago)
0
 
LVL 64

Expert Comment

by:btan
ID: 40417740
agreed as well, the CVE is old and do not let low hanging exist esp for internet facing appl systems. do a collective review of the patches required and get the testing in staging env going
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question