8 Replies Latest reply: Aug 20, 2012 9:49 PM by handat RSS

    Looking to address vulnerabilities in SunOne 6 1

    user458823
      Hi,

      Our security team found the following vulnerabilities:

      1)Disable TLS Renegotiation - SP 17 takes care of this
      2)Add the HttpOnly to all cookies
      3)Add the Secure flag to cookies sent over SSL
      4)Upgrade to latest SSL (I am assuming I can just download and install the latest openssl)

      Please let me know how to address these vulnerabilities.
      Thank you.
        • 1. Re: Looking to address vulnerabilities in SunOne 6 1
          handat
          The best approach would be to upgrade to the latest release of the webserver, ie 7.0 which meet all your security requirements.
          1)Disable TLS Renegotiation - SP 17 takes care of this
          Well, apply the patch then.
          2)Add the HttpOnly to all cookies
          This is the default in 7.0.12 and later. A workaround is to ask your developers to include that option for all the cookies they generate.
          3)Add the Secure flag to cookies sent over SSL
          Ask your developers to add the secure flag in all their web.xml files
          4)Upgrade to latest SSL (I am assuming I can just download and install the latest openssl)
          The web server uses NSPR and it is updated in SP12+
          • 2. Re: Looking to address vulnerabilities in SunOne 6 1
            user458823
            Thank you very much, I appreciate it. How do I upgrade to 7.0?
            • 3. Re: Looking to address vulnerabilities in SunOne 6 1
              user458823
              Okay, got the steps.....
              How do I find out if:
              The server being migrated and the Web Server 7.0 Administration Server must reside on the same host.
              • 4. Re: Looking to address vulnerabilities in SunOne 6 1
                user458823
                I'd rather take the path of least changes, so applying SP 17 seems the best way to go. However, s there a backout procedure for applying this SP. Is it applied just like a Solaris patch?
                • 5. Re: Looking to address vulnerabilities in SunOne 6 1
                  handat
                  It depends on whether you got a package or zip(file) installed version. For the file version, you just install it on top of your existing installation. It will detect that an older version is already installed and do an update instead. As for restore, a backup of the webserver directory should be sufficient which you can just restore. For the package based install, it will follow the Solaris patch management mechanism
                  • 6. Re: Looking to address vulnerabilities in SunOne 6 1
                    user458823
                    Thank you for your response. I appreciate it. I am a newbie to SunOne webserver. So I'll ask this question. I know we have several instances running. How do I backup the webserver directory - how do I find out where it is and is a tar of it sufficient? Please help.
                    • 7. Re: Looking to address vulnerabilities in SunOne 6 1
                      user458823
                      It is a zip file inside the patch - I think. We do not have s/w subscription - we can only download os/firmware/public patches - so I'm looking at pricing for s/w patches. I'll be sure once I get the patch. But i'm pretty confident that it's a zip file.
                      • 8. Re: Looking to address vulnerabilities in SunOne 6 1
                        handat
                        ok, when you installed the webserver, did you have to run the install as the root user or just any user? The package based installer requires root user privileges and puts the binaries under /opt/SUNWwebserver and the configuration under /var/opt/SUNWwebserver/https-instancename. The file/zip based installer lets you install anywhere and as any user and also puts the instances under the same directory structure.

                        So you have two things to worry about, the binaries and the instance configurations. The config is more important. Basically the directories starting https- are where the configurations for each instance is stored. There are additionally also the alias and httpacl directories for the SSL certificates and ACLs which you should also backup. If it is a file/zip based installation, all you need is to just zip/tar up the entire directory.