000016764 - RSA Deployment Manager 1.3.1 - Perceived Security Vulnerability with webdav page being available for listing.

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016764
Applies ToRSA Deployment Manager 1.3.1
Apache Tomcat 5.5.7
IssueHow to resolve possible Security Vulnerability in Apache Tomcat where the webdav page is reachable via http and available for listing.
C:\RSA Security\RSA Web Service\Tomcat\webapps\webdav is available via http and available for listing. Customer needs some direction on turning this site/directory down so it?s not visible via a browser. Their Security Team has deemed this a Security Vulnerability.
ResolutionHow to disable webdav for RSA Deployment Manager:

The webdav is enabled only for the webdav webapp. Disabling this will have no effect on RSA Deployment Manager functionality.

1.) Make a copy of the file C:\RSA Security\RSA Web Service\Tomcat\webapps\webdav\WEB-INF\web.xml

2.) Then edit the file C:\RSA Security\RSA Web Service\Tomcat\webapps\webdav\WEB-INF\web.xml

3.) Find the section:
<servlet>
<servlet-name>webdav</servlet-name>
<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<!-- Uncomment this to enable read and write access -->
<!--
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
-->
<!--load-on-startup>1</load-on-startup-->
</servlet>

4.)Delete everything between <servlet> and </servlet>
<servlet>
</servlet>

5.) Restart the RSA Web Service
Legacy Article IDa61321

Attachments

    Outcomes