5 Replies Latest reply on Feb 24, 2016 12:50 PM by nicole pauls

    Apache Tomcat for LEM

    nsmethurst

      Hello,

       

      I have a few questions with regards to Apache Tomcat for LEM.  Has any updated the version of Apache Tomcat on their SWLEM server ?

       

      Another issue is that entering an incorrect address gives the below which shows the Apache Tomcat version and this has been highlighted as a security concern.

      Could you create a custom error page ?  or Change some settings so that the Apache version is not shown ?

       

      pic.png

       

      Many Thanks,

       

      Nick

        • Re: Apache Tomcat for LEM
          nsmethurst

          Anyone have any ideas ?? Even at least the update of Apache Tomcat?

          • Re: Apache Tomcat for LEM
            curtisi

            There isn't a way to upgrade components of the LEM except through the releases from Solarwinds.  These include updates to the LEM software, database, OS and other components.

             

            However, looking at Apache's website, there appears to have only been one fix in the one newer release of Apache:

             

            Apache Tomcat - Apache Tomcat 6 vulnerabilities

             

            And that's CVE-2014-0227, which they didn't make public until February 2015.  Since 6.1.0 was released in January, and the dev team seems to favor known stable releases vs. bleeding edge, there wouldn't have been a reason to upgrade in the months before February.  I would bet that you'll see Apache updated when the next release comes out for LEM later this year, though.

             

            At the same time, your LEM's web interface shouldn't be facing the public internet.  If you find someone exploiting vulnerabilities from inside your network, you should probably discipline/fire them.  You can also control who has access to the LEM's web console using commands in the CMC shell via the virtual machine console or an SSH session.

             

            2015-04-09 06_56_45-10.110.7.4 - PuTTY.png

            1 of 1 people found this helpful
              • Re: Apache Tomcat for LEM
                asisit

                This is a decent solution to this problem, but still doesn't solve the problem. I'm currently plagued with solving at least 9 different CVE's that an internal scan found on our LEM boxes and wish I had another way to handle it other than this.

                  • Re: Apache Tomcat for LEM
                    nicole pauls

                    I'd recommend you send them to support, if you haven't already, because it's entirely possible they've been remediated through patches OR are on the docket to be remediated, so you at least can document beyond the restrictconsole compensating control in the meantime.

                • Re: Apache Tomcat for LEM
                  nicole pauls

                  In addition to curtis's notes, the Tomcat version is sometimes not enough to go off of. Patches can be backported, and the version may appear to be out of date when in fact it's just a patched older version.

                   

                  I believe we have another case in to change our error page due to information leakage, you might want to report this issue to support so that you're notified when the change is released.

                  1 of 1 people found this helpful