Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Harold,
On 9/22/2011 11:51 AM, BARRON, HAROLD H CTR DISA EE wrote:
Classification: UNCLASSIFIED
Thank god none of this is classified.
I might have to write a plan of action to temporarily mitigate
this issue until the update is posted. I just want to be able to
present it in a way that my users that my users will not have a
problem understanding when I do.
Here's your plan:
"We're gonna set a pre-shared secret on both our web servers and our
application servers and bounce everything.
Addendum :
And then we're gonna make sure that the configuration files of Tomcat are given
appropriate permissions so that only Tomcat and authorized users can browse said secret.
End of addendum.
Then the chances of this
attack being carried-out are reduced to the key space of the secret.
So, make-up a big long string of random characters and set:
workers.properties:
worker.myWorker.secret=[super secret string]
server.xml:
<Connector request.secret="[super secret string]" ...
"
mod_jk has a 8192-character limit on each configuration line of
workers.properties. The form of the directive is:
worker.[workerName].secret=[here goes the secret]
That means that you have (8192 - 15 - strlen(workerName)) characters
for your shared secret. That's a big space to search.
This is not a terribly arduous technique to mitigate this attack.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6E4yEACgkQ9CaO5/Lv0PDKkQCgjJoCQkxYOuodTu1/CAHYdGtD
3vkAoJ3k/mgmruwYSvVKPBBHzduEwmgI
=Su3s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
