Tomcat Security Issues

Author: knut.dybendahl@gmail.com (Knut)

Hi all, I'm not sure which forum this belongs to - but since it's starting with the development of secure web applications I thought I'd drop it in here. There are a number of security alerts and warnings associated with the version of Tomcat shipped with the latest version of Uniface - up to and including version 9.6.06 - with 1 security hole and 11 security warnings on a PCI check from Comodo - causing sites to be PCI non-compliant (which is NOT good). Cry From what I can tell, all of the issues have been resolved with the latest version of Tomcat, version 7.0.55. 1) Are there any issues with upgrading the Tomcat server to 7.0.55 since we'd break the long-standing "the Lab hasn't tested that specific configuration - hence it's unsupported" mantra? 2) Does the Lab / others in the Uniface community have a best practices method to stay on top of Tomcat issues? 3) Would I be able to shield these issues by using IIS as a frontend to the Tomcat engine as IIS would have to deal with the SSL / TSL issues? 4) Should we have a 'Security' sub forum? Knut

3 Comments

  1. Hi Knut, The installed Tomcat server is mainly intended for development. In the doc you can find the following info about the Tomcat:

    Uniface Library > Theme: Web Applications > Web Technologies > Apache Tomcat: For development, the Tomcat server is an integral part of the testing environment, and using another web server is not recommended. The Tomcat server delivered with the Uniface APS is automatically installed and configured during installation so that you can test, debug, and deploy web applications and workflows without first having to install and configure a separate web server and servlet engine.

    For deployment you can chose any web server capable of connecting to a servlet engine that is compliant with the 3.0 Java servlet specification (see the Uniface PAM - Platform Availability Matrix; e.g. Uniface 9.6 PAM).

    Knut said 1) Are there any issues with upgrading the Tomcat server to 7.0.55 since we'd break the long-standing "the Lab hasn't tested that specific configuration - hence it's unsupported" mantra?

    No, there should not. As stated above, as long as the servlet engine the web server is using is compliant with the Java Servlet API version 3.0 it should work. And did you really get a statement from support that you cannot upgrade the 7.0.xx Tomcat version shipped with the Uniface distribution to a higher version of Tomcat 7.0? It's a different story when going to a higher Tomcat version that would (e.g.) support a higher version of the Java Servlet API.

    Knut said 2) Does the Lab / others in the Uniface community have a best practices method to stay on top of Tomcat issues?

     I guess one should use the same approach as keeping the other 3rd party components Uniface is interacting with up-to-date (e.g. OS, database, ...)

    Knut said 3) Would I be able to shield these issues by using IIS as a frontend to the Tomcat engine as IIS would have to deal with the SSL / TSL issues?

    I don't claim to be an expert for web servers. In case the security issues you are referring to are all located in the web server functionality of Tomcat and not the servlet engine then it might work. Although it is probably better to keep Tomcat up-to-date.

    Knut said 4) Should we have a 'Security' sub forum? Knut

    Might be a good idea indeed. Hope this helps. And thanks for sharing your concerns. Daniel


    Author: diseli (daniel.iseli@uniface.com)
  2. diseli said The installed Tomcat server is mainly intended for development. In the doc you can find the following info about the Tomcat:
    Uniface Library > Theme: Web Applications > Web Technologies > Apache Tomcat: For development, the Tomcat server is an integral part of the testing environment, and using another web server is not recommended.

    and this is where I wanted to install / test my https and certificates. In other words, reading between the lines, my development and testing could be different from my production - which really isn't a good idea... I totally understand the use of 3rd party products and that Uniface cannot run a support desk for those products. What might be a good idea though - when there's a new release of something as important as the Tomcat server, that said new release gets included in the next version / service pack of Uniface... Daniel, I appreciate the time taken to answer my original post. SW development and distribution is an everlasting, ongoing discussion! Thanks, Knut


    Author: Knut (knut.dybendahl@gmail.com)
  3. Hello Knut, You are welcome. And you are raising of course a valid point here. I probably was thinking more of our larger customers that have separate environments for developing, testing and deployment. But not everyone has the luxury for such a setup. And I also agree that we should make sure that a recent version of Tomcat is shipped with a new maintenance release version (edist). If it also would be possible to package an updated Tomcat version with a Maintenance Pack I'm not sure. At this moment the content of a patch or Maintenance Pack is (just) copied over the current installation of a Uniface release. I'm not certain if this something that also would easily work with Tomcat. Anyway, I know that we have plans (being the operative word here) to update the third party software we ship with Uniface on a more regular base. But I'm currently not sure if this also would include Tomcat and what's the time frame for this. Hope this helps. Daniel P.S. I took the liberty to format your last post so that it's better readable. Wink


    Author: diseli (daniel.iseli@uniface.com)