For example, the session manager implementation is pluggable, and even the default implementation has support for pluggable random number generators. However, like all other components of Tomcat, you can customize any and all of the relevant parts of the server to achieve even higher security. We believe, and the evidence suggests, that Tomcat is more than secure enough for most use-cases. ![]() Those are not caused by a vulnerability in Tomcat. It is unknown whether Equifax has run their application on Tomcat, but there have been a number of similar compromise reports from Tomcat users. vulnerabilities in Apache Struts framework were a popular attack target several times in years 2013-2017. There have been several reports of compromises via vulnerabilities in 3-rd party web applications deployed on Tomcat.Please see "Security considerations" pages in Tomcat documentation ( linked below) for a reference on how access to Management Applications in Tomcat should be secured. This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe). There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password ( CVE-2009-3548). There have been several reports of a compromise done via guess of the password of a user of the Manager web application. ![]() All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities. ![]() While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only theoretical vulnerabilities found. There have been no documented cases of data loss or application crashes caused by an intruder. There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. If you hear of a vulnerability or its exploitation, please see the security page. This FAQ section provides help with some security-related issues.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |