On 25/11/2013 08:22, Leon Rosenberg wrote: > Morning everyone, > > what can be greater start in the morning as reading about first tomcat worm > found by symantec ;-) > > http://www.symantec.com/connect/blogs/all-your-tomcat-are-belong-bad-guys
How good your morning will be after reading that article will depend rather a lot on how careful you were configuring your Tomcat instance(s). Folks that simply used the default installation have nothing to worry about. The Manager application has been disabled (in the sense that no user was granted access to it) by default in every release from 4.0.0 onwards. I didn't go back any further because a) 3.x was a very, very long time ago and b) I never worked on 3.x and didn't fancy trying to find my way around the very different code structure. Folks that added a user to the Manager application and configured it with a strong password have nothing to worry about. Folks that enabled the commented out RemoteAddrValve for the Manager app that limits access to localhost have nothing to worry about. Folks that disabled the LockOutRealm in server.xml that protects against brute-force password attacks (against any app - not just the Manager) should probably be worried. Folks that added a user to the Manager application and configured it with a weak password might be about to have a bad day. Attacks against Tomcat that exploit a publicly accessible Manager application configured with a user weak a weak password are nothing new. The security@ list has been sent a number of examples of the malicious apps that get installed via this route over the years. These examples go all the way back to at least the 4.1.x days (when I first got involved with Tomcat) and probably earlier. The one thing that is new is that this exploit appears to be self-replicating. Unrelated to this issue, I have recently expanded the section of the docs that covers securing the default applications. The updates will be in the next release. Until then you can read it via the copy of the docs built by the CI system: http://ci.apache.org/projects/tomcat/tomcat8/docs/security-howto.html#Default_web_applications The one question this raises for me is should the Manager application be limited to localhost be default? I'd be interested in the community's views on that. > Enjoy your caffe. Personally, I can't stand the taste if caffe but I did enjoy my beverage of choice. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
