We have been failing our internal pen-test scans since adding LEM into our environment. Are there any plans to upgrade the version of Apache Tomcat?
Changes with RESTRICTCONSOLE should stick, but I know some LEM versions had issues with it. Are you on 6.0?
Yes, we do. We also have a list of mitigation/comments on how or whether different vulnerabilities even apply to LEM if you want us to respond to anything specific. Our version of Tomcat is patched, so if it's just by version string alone it may not be accurate. We know it'll still trip some things, though.
It's CVE 2013-2067 and yes it does only appear to be querying the version.
<title>Apache Tomcat/6.0.36 - Error report</title>
Any new info on this? We are still getting dinged with this even though its only querying the version. I'm not sure I will be able to get an exception this year with 3.0
Threat:
Solution:
<title>Apache Tomcat/6.0.37 - Error report</title>#
Like nicole pauls said, I think if you were to actually try this exploit on the LEM, you'd find that the Apache has been fixed so it's not possible, so the PEN test is just tripping on the version string.
At the same time, the LEM shouldn't be open to the Internet (we don't support that), so the potential list of "hackers" consists of people on your internal network. That cuts a lot of riff-raff, and lets you hit people with a stick if they try anything, an option that is sadly lacking from the Internet at large.
You can use the RestrictConsole command in the CMC shell to further restrict what IPs can even open a connection with the LEM (this command modifies the IPTABLES), and therefore further reduce the potential number of people who can even try to exploit Apache.
Thank you. Are the iptables changes perpetual or do they reset after LEM is rebooted? I set this and for some reason when we do updates on the host and have to power off the vms and reboot. It will magically show up on our vulnerability list again. We contemplated just editing the server.xml file directly and manually adding an entry like server="Wouldn't you like to know". I know its not supported but if its just keying off the version string that should nix it from showing anymore.
Wanted to confirm, we have a service release in progress that includes many security-oriented changes/fixes. The tomcat versions in that release are: 6.0.41 (console) and 6.0.37 (database/reports access). We have ran nessus scans that come up clean, but not sure about other scanners, since as you said they could be only checking versions.