1394093 – [RFE] add support for customizing tomcat server.xml options

Bug 1394093 - [RFE] add support for customizing tomcat server.xml options

Summary: [RFE] add support for customizing tomcat server.xml options

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-11 01:51 UTC by jnikolak
Modified:	2020-04-15 14:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-18 18:06:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description jnikolak 2016-11-11 01:51:01 UTC

ISSUE

* NMAP reports security warning for tomcat



ENVIRONMENT
* Satellite 6.2



RESOLUTION

* Disable HTTP TRACE Method for Apache  
--> https://access.redhat.com/solutions/884243


--> allowTrace="False"
For both connectors -->  /etc/tomcat/server.xml
Then restart tomcat



GOAL

Add allowTrace=False lines by default as part of a Satellite Build

Comment 1 Brad Buckingham 2016-11-15 16:12:42 UTC

Hi Kurt, what are your thoughts about the security implications of this one to Satellite and the severity that should be applied?

Comment 2 Kurt Seifried 2016-11-15 17:01:56 UTC

We are planning to harden this in a future version of Satellite, please see:

https://bugzilla.redhat.com/show_bug.cgi?id=1305782

in fact you can probably close this as a duplicate of the above.

Comment 3 Brad Buckingham 2016-11-15 19:21:37 UTC

Kurt, thank you for the quick feedback. 

Based on the input, I am going to close this one as a duplicate; however, please re-open with details, if there is any concern with this approach.  Thanks!

*** This bug has been marked as a duplicate of bug 1305782 ***

Comment 4 Stephen Benjamin 2016-11-15 20:11:45 UTC

Reopened, as tomcat is configured by puppet-candlepin which doesn't seem to expose any many for customizing the server.yml.  We'll need to enable that before the solution in the other BZ works for this too.

Comment 6 Stephen Benjamin 2016-11-18 18:06:03 UTC

All of the tomcat documentation says the default is allowTrace is false, so not sure why nmap is being triggered.

  - http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
  - http://tomcat.apache.org/tomcat-6.0-doc/config/http.html


I looked at my local tomcat instance on Satellite 6.2 EL7, and TRACE is not enabled.  

[root@sat-rhel7 ~]#  curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:04:51 GMT
< 
* Connection #0 to host localhost left intact


Likewise on EL6:

[vagrant@sat-rhel7 ~]$ curl -v -X TRACE -k http://localhost:8080/candlepin/status
* About to connect() to localhost port 8080 (#0)
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /candlepin/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
< Server: Apache-Coyote/1.1
< Allow: POST, GET, DELETE, OPTIONS, PUT, HEAD
< Content-Length: 0
< Date: Fri, 18 Nov 2016 18:05:45 GMT
< 
* Connection #0 to host localhost left intact

Note You need to log in before you can comment on or make changes to this bug.