This discussion is archived
8 Replies Latest reply: Aug 20, 2012 7:49 PM by handat RSS

Looking to address vulnerabilities in SunOne 6 1

user458823 Newbie
Currently Being Moderated
Hi,

Our security team found the following vulnerabilities:

1)Disable TLS Renegotiation - SP 17 takes care of this
2)Add the HttpOnly to all cookies
3)Add the Secure flag to cookies sent over SSL
4)Upgrade to latest SSL (I am assuming I can just download and install the latest openssl)

Please let me know how to address these vulnerabilities.
Thank you.
  • 1. Re: Looking to address vulnerabilities in SunOne 6 1
    handat Expert
    Currently Being Moderated
    The best approach would be to upgrade to the latest release of the webserver, ie 7.0 which meet all your security requirements.
    1)Disable TLS Renegotiation - SP 17 takes care of this
    Well, apply the patch then.
    2)Add the HttpOnly to all cookies
    This is the default in 7.0.12 and later. A workaround is to ask your developers to include that option for all the cookies they generate.
    3)Add the Secure flag to cookies sent over SSL
    Ask your developers to add the secure flag in all their web.xml files
    4)Upgrade to latest SSL (I am assuming I can just download and install the latest openssl)
    The web server uses NSPR and it is updated in SP12+
  • 2. Re: Looking to address vulnerabilities in SunOne 6 1
    user458823 Newbie
    Currently Being Moderated
    Thank you very much, I appreciate it. How do I upgrade to 7.0?
  • 3. Re: Looking to address vulnerabilities in SunOne 6 1
    user458823 Newbie
    Currently Being Moderated
    Okay, got the steps.....
    How do I find out if:
    The server being migrated and the Web Server 7.0 Administration Server must reside on the same host.
  • 4. Re: Looking to address vulnerabilities in SunOne 6 1
    user458823 Newbie
    Currently Being Moderated
    I'd rather take the path of least changes, so applying SP 17 seems the best way to go. However, s there a backout procedure for applying this SP. Is it applied just like a Solaris patch?
  • 5. Re: Looking to address vulnerabilities in SunOne 6 1
    handat Expert
    Currently Being Moderated
    It depends on whether you got a package or zip(file) installed version. For the file version, you just install it on top of your existing installation. It will detect that an older version is already installed and do an update instead. As for restore, a backup of the webserver directory should be sufficient which you can just restore. For the package based install, it will follow the Solaris patch management mechanism
  • 6. Re: Looking to address vulnerabilities in SunOne 6 1
    user458823 Newbie
    Currently Being Moderated
    Thank you for your response. I appreciate it. I am a newbie to SunOne webserver. So I'll ask this question. I know we have several instances running. How do I backup the webserver directory - how do I find out where it is and is a tar of it sufficient? Please help.
  • 7. Re: Looking to address vulnerabilities in SunOne 6 1
    user458823 Newbie
    Currently Being Moderated
    It is a zip file inside the patch - I think. We do not have s/w subscription - we can only download os/firmware/public patches - so I'm looking at pricing for s/w patches. I'll be sure once I get the patch. But i'm pretty confident that it's a zip file.
  • 8. Re: Looking to address vulnerabilities in SunOne 6 1
    handat Expert
    Currently Being Moderated
    ok, when you installed the webserver, did you have to run the install as the root user or just any user? The package based installer requires root user privileges and puts the binaries under /opt/SUNWwebserver and the configuration under /var/opt/SUNWwebserver/https-instancename. The file/zip based installer lets you install anywhere and as any user and also puts the instances under the same directory structure.

    So you have two things to worry about, the binaries and the instance configurations. The config is more important. Basically the directories starting https- are where the configurations for each instance is stored. There are additionally also the alias and httpacl directories for the SSL certificates and ACLs which you should also backup. If it is a file/zip based installation, all you need is to just zip/tar up the entire directory.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points