Solved

Workaround / mitigation for CVE2011-3190

Posted on 2014-10-28
11
165 Views
Last Modified: 2014-11-04
Both network & endpoint IPS vendors told us they don't have a signature
for this Tomcat CVE2011-3190  yet : been a while.

a) is there any workaround from the OS vendor (Redhat & MS) to
    mitigate this?

b) any other mitigation other than shutting down the Tomcat?
0
Comment
Question by:sunhux
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 9

Assisted Solution

by:Ashok Dewan
Ashok Dewan earned 150 total points
ID: 40408043
Hi,
You haven't mentioned the version which being is used now. But, there are certain versions which are affected by above vulnerability. So, you can use latest version i.e. 7.0.55 , 7.0.56 are not affected.

List of versions which are affected
http://www.cvedetails.com/cve/CVE-2011-3190/
Best to update
0
 

Author Comment

by:sunhux
ID: 40408072
We can certainly upgrade this high risk "Apache Tomcat: AJP Message Injection Authentication Bypass" vulnerability  to version 6.0.40, 7.0.54, 8.0.6 or later of Apache Tomcat but this is going to take a while & not preferred as it will take
some amount of testing
0
 

Author Comment

by:sunhux
ID: 40408074
OUr current version is 5.5.27 ;  will updating to 5.5.34 post a low
risk of breaking the apps & is Ver 5.5.34 break anything or the app?
0
 

Author Comment

by:sunhux
ID: 40408080
Slight typo:

will updating to Ver 5.5.34 pose no or low risk of breaking the apps &
where can I download Ver 5.5.34 if it's still available somewhere (hope
it's not been removed) ?
0
 

Author Comment

by:sunhux
ID: 40408099
In our case, it's running on RHEL 5.x VMs
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 40411603
Here is http://olex.openlogic.com/packages/tomcat/5.5.34
I believe you might have checked this site already. right ?
0
 

Author Comment

by:sunhux
ID: 40412854
Not yet, thanks.

Last question:
small update to 5.5.34 is less risky than a major jump to Ver 7.x ?
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 40416887
Watching the Red Hat, consider the mitigation instead of shutting down. The severity is still moderate / medium but still need to be patched esp since it is such old vul. https://bugzilla.redhat.com/show_bug.cgi?id=734868

Users of affected versions should apply one of the following mitigation:
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute
e.g. tomcat5/6 -   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).

- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x)
e.g. (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E5BEDE0.8010604@apache.org%3E

Listed are advisory available in list for this CVE http://packetstormsecurity.com/files/cve/CVE-2011-3190
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 100 total points
ID: 40417312
There is about 50+ serious secuirty holes in Tomcar 5.5 alone, not counting that it does not run on Java 7 or 8
So you have to migrate (actually had to years ago)
0
 
LVL 62

Expert Comment

by:btan
ID: 40417740
agreed as well, the CVE is old and do not let low hanging exist esp for internet facing appl systems. do a collective review of the patches required and get the testing in staging env going
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Fine Tune your automatic Updates for Ubuntu / Debian
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now