-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Harold,
On 9/22/2011 11:51 AM, BARRON, HAROLD H CTR DISA EE wrote: > Classification: UNCLASSIFIED Thank god none of this is classified. > I might have to write a plan of action to temporarily mitigate > this issue until the update is posted. I just want to be able to > present it in a way that my users that my users will not have a > problem understanding when I do. Here's your plan: "We're gonna set a pre-shared secret on both our web servers and our application servers and bounce everything. Then the chances of this attack being carried-out are reduced to the key space of the secret. So, make-up a big long string of random characters and set: workers.properties: worker.myWorker.secret=[super secret string] server.xml: <Connector request.secret="[super secret string]" ... " mod_jk has a 8192-character limit on each configuration line of workers.properties. The form of the directive is: worker.[workerName].secret=[here goes the secret] That means that you have (8192 - 15 - strlen(workerName)) characters for your shared secret. That's a big space to search. This is not a terribly arduous technique to mitigate this attack. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6E4yEACgkQ9CaO5/Lv0PDKkQCgjJoCQkxYOuodTu1/CAHYdGtD 3vkAoJ3k/mgmruwYSvVKPBBHzduEwmgI =Su3s -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org