Workaround / mitigation for CVE2011-3190

Both network & endpoint IPS vendors told us they don't have a signature
for this Tomcat CVE2011-3190  yet : been a while.

a) is there any workaround from the OS vendor (Redhat & MS) to
    mitigate this?

b) any other mitigation other than shutting down the Tomcat?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ashok DewanFreelancerCommented:
Hi,
You haven't mentioned the version which being is used now. But, there are certain versions which are affected by above vulnerability. So, you can use latest version i.e. 7.0.55 , 7.0.56 are not affected.

List of versions which are affected
http://www.cvedetails.com/cve/CVE-2011-3190/
Best to update
sunhuxAuthor Commented:
We can certainly upgrade this high risk "Apache Tomcat: AJP Message Injection Authentication Bypass" vulnerability  to version 6.0.40, 7.0.54, 8.0.6 or later of Apache Tomcat but this is going to take a while & not preferred as it will take
some amount of testing
sunhuxAuthor Commented:
OUr current version is 5.5.27 ;  will updating to 5.5.34 post a low
risk of breaking the apps & is Ver 5.5.34 break anything or the app?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

sunhuxAuthor Commented:
Slight typo:

will updating to Ver 5.5.34 pose no or low risk of breaking the apps &
where can I download Ver 5.5.34 if it's still available somewhere (hope
it's not been removed) ?
sunhuxAuthor Commented:
In our case, it's running on RHEL 5.x VMs
Ashok DewanFreelancerCommented:
Here is http://olex.openlogic.com/packages/tomcat/5.5.34
I believe you might have checked this site already. right ?
sunhuxAuthor Commented:
Not yet, thanks.

Last question:
small update to 5.5.34 is less risky than a major jump to Ver 7.x ?
btanExec ConsultantCommented:
Watching the Red Hat, consider the mitigation instead of shutting down. The severity is still moderate / medium but still need to be patched esp since it is such old vul. https://bugzilla.redhat.com/show_bug.cgi?id=734868

Users of affected versions should apply one of the following mitigation:
- Apply the appropriate patch
  - 7.0.x http://svn.apache.org/viewvc?rev=1162958&view=rev
  - 6.0.x http://svn.apache.org/viewvc?rev=1162959&view=rev
  - 5.5.x http://svn.apache.org/viewvc?rev=1162960&view=rev
- Configure the reverse proxy and Tomcat's AJP connector(s) to use the requiredSecret attribute
e.g. tomcat5/6 -   (It is "request.secret" attribute in AJP <Connector>,
   "worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module
   currently does not support shared secrets).

- Use the org.apache.jk.server.JkCoyoteHandler AJP connector (not available for Tomcat 7.0.x)
e.g. (It is automatically selected if you do not have Tomcat-Native library
   installed. It can be also selected explicitly: <Connector
   protocol="org.apache.jk.server.JkCoyoteHandler">).

http://mail-archives.apache.org/mod_mbox/www-announce/201108.mbox/%3C4E5BEDE0.8010604@apache.org%3E

Listed are advisory available in list for this CVE http://packetstormsecurity.com/files/cve/CVE-2011-3190

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
There is about 50+ serious secuirty holes in Tomcar 5.5 alone, not counting that it does not run on Java 7 or 8
So you have to migrate (actually had to years ago)
btanExec ConsultantCommented:
agreed as well, the CVE is old and do not let low hanging exist esp for internet facing appl systems. do a collective review of the patches required and get the testing in staging env going
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.