3 Replies Latest reply: Jul 9, 2012 6:31 PM by TimK RSS

    Upgrade Tomcat?

    TimK
      For PCI compliance, is it possible to upgrade tomcat to 6.0.35 or higher for Endeca. The scans are showing a number vulnerabilities in the version of Tomcat running our out of the box install of Endeca Workbench.

      IE.
      Port www (8006/tcp)      [-/+]
      Apache Tomcat 6.x < 6.0.35 Multiple Vulnerabilities

      Thanks,
      Tim
        • 1. Re: Upgrade Tomcat?
          TimK
          I looking at the Eden posts, I have answered this specific question, however a new question pops up.

          From Doug Bailey Oct 26, 2011:
          "The current versions of the Endeca components are not tested or supported on Tomcat 7."

          "We strongly suggest that servers for Endeca applications not be exposed to internet access as well as wide network access in general, and we recommend that access to the Tomcat server be locked down in a similar fashion as other web servers. Endeca does not support any independent migration of the shipping version of Tomcat to a later version."

          "Endeca deems the actual threat posed by these vulnerabilities to be low because these applications should be "behind the firewall" and should be secured by all of the other fail-safes that keep your network protected. Only the ports necessary for communication to and from the EAC and shutdown ports (etc.) should be available and those should only be accessible from the hosts that they will be communicating with, e.g., the EAC central server."

          The new question is this:
          What ideas are out there for securing the Workbench port 8006 in such a way to be compliant with PCI standards? If there is already documentation out there, please share.

          Thanks,
          Tim
          • 2. Re: Upgrade Tomcat?
            gireesh sahukar - oracle
            Tim - Endeca recommendation on Tomcat version that you quote below still holds good for Workbench as well. Workbench is an internal business user tool and should not be exposed to the internet just like your other internal, corporate applications.
            • 3. Re: Upgrade Tomcat?
              TimK
              Protecting the port 8004 as internal was sufficient to quell the PCI compliance guardians.