Skip to main content
Information Security

Return to Answer

added 84 characters in body
Source Link
Alex
Alex
  • 111
  • 3

I believe tomcat is not vulnerable to heartbleed out of the box.

Yes, the APR library is linked and SSLEngine is on.

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

But if you look at the server.xml config file of a default tomcat deployment, it's SSL connector uses JSSE not the APR library.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

So it shouldn't be explotableexploitable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it's safe to say, you are not vulnerable.

Speaking of which do you know of any offline tester for heartbleed?

http://alexluca.com/2014/04/10/heartbleed-and-tomcat-out-of-the-box-ssl-config/

Regards,

Alex L.

I believe tomcat is not vulnerable to heartbleed out of the box.

Yes, the APR library is linked and SSLEngine is on.

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

But if you look at the server.xml config file of a default tomcat deployment, it's SSL connector uses JSSE not the APR library.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

So it shouldn't be explotable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it's safe to say, you are not vulnerable.

Speaking of which do you know of any offline tester for heartbleed?

Regards,

Alex L.

I believe tomcat is not vulnerable to heartbleed out of the box.

Yes, the APR library is linked and SSLEngine is on.

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

But if you look at the server.xml config file of a default tomcat deployment, it's SSL connector uses JSSE not the APR library.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

So it shouldn't be exploitable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it's safe to say, you are not vulnerable.

Speaking of which do you know of any offline tester for heartbleed?

http://alexluca.com/2014/04/10/heartbleed-and-tomcat-out-of-the-box-ssl-config/

Regards,

Alex L.

Source Link
Alex
Alex
  • 111
  • 3

I believe tomcat is not vulnerable to heartbleed out of the box.

Yes, the APR library is linked and SSLEngine is on.

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

But if you look at the server.xml config file of a default tomcat deployment, it's SSL connector uses JSSE not the APR library.

<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the BIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> -->

So it shouldn't be explotable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it's safe to say, you are not vulnerable.

Speaking of which do you know of any offline tester for heartbleed?

Regards,

Alex L.