We recently installed Tomcat 5.5.23 in Windows server to support the Infor WebUI (webtop) application. We installed a cerificate and are using SSl on port 8443. This all works fine.
The local IT Security team ran an HP "Web Inspect" and it showed a High vulnerability for SSLv3/TLS known as CVE-2009-3555. We are running JVM JRE 1.6.0._17 on the server. You state on the http://tomcat.apache.org/security-5.html site at end of page that this is not a vulnerability depending on a number of factors. This is very unclear tor us. The Web Inspect product sated that this must be fixed as follows: " Patches must be applied to the underlying web server and ssl library. OpenSSL Patch: http://www.openssl.org/source/openssl-0.9.8l.tar.gz Apache Mod-SSL Patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.14 /CVE-2009-3555-2.2.patch These patches may cause issues with sites that require renegotiation. (Sites requiring public HTTPS access with certain folders protected by client-side certificates) " What can we do to make the vulnerability shown in Web Inspect go away? Thanks. Steve Johnson (619) 237-8315 P Please consider the environment before printing this e-mail. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
