000025251 - Web Express: Apache Tomcat shipped with Deployment Manager 1.3.1 has a vulnerability.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025251
Applies ToDeployment Manager 1.3.1
Authentication Manager 6.1.2
Microsoft Windows Windows Server
IssueApache Tomcat shipped with Deployment Manager 1.3.1 (Web Express) has a vulnerability.
A Security Audit reveals that Apache Tomcat 5.5.7 has security vulnerability
Resolution

Stop the RSA Web Service.

 

Make a backup copy of your Tomcat directory (by default C:\RSA Security\RSA Web Service\Tomcat).

 

Download Tomcat 5.5.23 from the Apache Tomcat website (as of 5th February 2009 this URL http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.23/bin/apache-tomcat-5.5.23.zip allowed the software to be downloaded).

 

Unzip the downloaded file (e.g. apache-tomcat-5.5.32.zip) into a working directory (e.g. C:\temp) and a new folder should appear called ?apache-tomcat-5.5.23?.

 

Copy the sub-folders from apache-tomcat-5.5.23 to Tomcat directory (by default C:\RSA Security\RSA Web Service\Tomcat) and choose to overwrite existing files. This will retain the ?webapps? sub-folder where deployment manager (previously known as Web Express) has been deployed.

 

Replace files listed below in C:\RSA Security\RSA Web Service\Tomcat\bin with files from your back up directory:

 

Startup.bat

Catalina.bat

Setclasspath.bat

Shutdown.bat

 

Start the RSA Web Service.

 

** A SecurCare Note titled RSA, The Security Division of EMC, Announces RSA Authentication Deployment Manager 1.3.1 has a NOTE regarding the replacement of Apache Tomcat 5.5.7 with Apache Tomcat 5.5.23 **

 

* We can confirm that RSA Authentication Manager 6.1.2 QuickAdmin will work with Apache Tomcat 5.5.23 *

Notes

Note:   Check the config.properties file in <RSA Deployment Manager Install dir>\RSA Web Service\Tomcat\webapps\RSASWE\WEB-INF\config for the Deployment Manager version
Run http://hostname:8080 for the tomcat version.

Legacy Article IDa31920

Attachments

    Outcomes