An education client has Servoy 7.3.1 running on Java 1.7_013 and their compliance officer scanned the server using something called “Retina” and sent them is message:
Outdated Apache | Risk: High | CVE: CVE-2014-0198,CVE-2014-0221,CVE-2014-3470,CVE-2010-5298,CVE-2014-0195,CVE-2014-0224
Issue: Apache Tomcat Multiple Vulnerabilities (20140903)
Description: Apache Tomcat web server contains multiple vulnerabilities in its bundled versions of OpenSSL that could result in buffer overflows, denial of service, man-in-the-middle attacks and more.
Fix: Upgrade Apache Tomcat to version 7.0.55, 8.0.11 or later.
It is possible that these are false positive as a result of backporting patches since Retina only goes by the version number from the banner. If this is the case, please verify that these CVEs have been patched and send us a screenshot that Apache is up to date or the CVEs have been patched if possible.
I’m at a loss as to how to respond to this request. Are there any server/config gurus out there lend a hand on how to either patch it or give a response?
Doing a quick look around on the web shows that the ‘Retina’ mention probably relates to this product.
Also the CVE’s are all about OpenSSL, not so much about Tomcat specific. Now usually services link against an OpenSSL library that is located somewhere on your system. Most UNIX systems have them and just updating this library will make the services using that be updated as well.
Now on Windows this might be different. I don’t think Windows comes with OpenSSL preinstalled like most UNIX distros do.
A quick search shows that Tomcat has a native downloads section where you get a pre-compiled binary for Windows, for UNIX type distros you get only the source that you need to compile agains the local (updated) OpenSSL library.
So if you are running Tomcat on Windows this should be a fairly simple swap of files (I hope). Else you could always consider moving to 7.4.2 (assuming that Servoy updating the native stuff as well).
I am sure Johan or Jan B. can give you better/more detailed info on this.
you can always just install the very latest tomcat and then run Servoy as a WAR deployment
Then you don’t depend on Servoy updating the bundled tomcat.
But i think Robert is also correct, by default our application server when run on windows doesn’t use OpenSSL but uses the java build in ssl lib.
Only when you use the tomcat native libraries you can have a problem, because i think those are statically linked so you need there the latest once from (and maybe then also a latest tomcat, not sure)