Solved

Workaround / mitigation for CVE2011-3190

Posted on 2014-10-28
11
170 Views
Last Modified: 2014-11-04
Both network & endpoint IPS vendors told us they don't have a signature
for this Tomcat CVE2011-3190  yet : been a while.

a) is there any workaround from the OS vendor (Redhat & MS) to
    mitigate this?

b) any other mitigation other than shutting down the Tomcat?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
11 Comments
 
LVL 9

Assisted Solution

by:Ashok Dewan
Ashok Dewan earned 150 total points
ID: 40408043
Hi,
You haven't mentioned the version which being is used now. But, there are certain versions which are affected by above vulnerability. So, you can use latest version i.e. 7.0.55 , 7.0.56 are not affected.

List of versions which are affected
http://www.cvedetails.com/cve/CVE-2011-3190/
Best to update
0
 

Author Comment

by:sunhux
ID: 40408072
We can certainly upgrade this high risk "Apache Tomcat: AJP Message Injection Authentication Bypass" vulnerability  to version 6.0.40, 7.0.54, 8.0.6 or later of Apache Tomcat but this is going to take a while & not preferred as it will take
some amount of testing
0
 

Author Comment

by:sunhux
ID: 40408074
OUr current version is 5.5.27 ;  will updating to 5.5.34 post a low
risk of breaking the apps & is Ver 5.5.34 break anything or the app?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:sunhux
ID: 40408080
Slight typo:

will updating to Ver 5.5.34 pose no or low risk of breaking the apps &
where can I download Ver 5.5.34 if it's still available somewhere (hope
it's not been removed) ?
0
 

Author Comment

by:sunhux
ID: 40408099
In our case, it's running on RHEL 5.x VMs
0
 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 40411603
Here is http://olex.openlogic.com/packages/tomcat/5.5.34
I believe you might have checked this site already. right ?
0
 

Author Comment

by:sunhux
ID: 40412854
Not yet, thanks.

Last question:
small update to 5.5.34 is less risky than a major jump to Ver 7.x ?
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 40416887
Watching the Red Hat, consider the mitigation instead of shutting down. The severity is still moderate / medium but still need to be patched esp since it is such old vul. https://bugzilla.redhat.com/show_bug.cgi?id=734868

Users of affected versions should apply one of the following mitigation:
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute
e.g. tomcat5/6 -   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).

- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x)
e.g. (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E5BEDE0.8010604@apache.org%3E

Listed are advisory available in list for this CVE http://packetstormsecurity.com/files/cve/CVE-2011-3190
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 100 total points
ID: 40417312
There is about 50+ serious secuirty holes in Tomcar 5.5 alone, not counting that it does not run on Java 7 or 8
So you have to migrate (actually had to years ago)
0
 
LVL 63

Expert Comment

by:btan
ID: 40417740
agreed as well, the CVE is old and do not let low hanging exist esp for internet facing appl systems. do a collective review of the patches required and get the testing in staging env going
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question