(Please note: This message is an advisory and not an abuse report. No action or repsonse is needed.)
Hello,
It has come to our attention that there has been an increase in attacks against hosts running Apache Tomcat with default or insufficiently complex administrative credentials for the Tomcat Manager Application. If run with weak credentials, or if the installed version has a vulnerability, Tomcat can be compromised by an external attacker for use in a variety of malicious activity.
You can avoid being vulnerable to attackers by following the below best practices to increase the security of your Tomcat installation:
1. Ensure that the version of Tomcat you are using is up to date and does not have any known or unaddressed security vulnerability. You can find a list of vulnerabilities by version on the Apache Tomcat website at: http://tomcat.apache.org/security.html.
2. If you have enabled administrator or manager user accounts with access to the Tomcat Manager application (managed within the tomcat-users.xml file), ensure they are given appropriately complex passwords and difficult to guess usernames. Additional information regarding configuring access to Tomcat Manager can be found here:
* For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access
* For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
* For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access
3. Verify that you are implementing the recommended security guidelines for your Tomcat installation. For some of the later versions, you may find the following guides helpful:
* For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html
* For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
* For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
4. Subscribe to Apache Tomcat's mailing list for the latest security updates by visiting: http://tomcat.apache.org/lists.html
Additional assistance and documentation related to AWS security best practices may be found at: http://media.amazonwebservices.com/Whitepaper_Security_Best_Practices_2010.pdf
Regards,
Amazon EC2 Abuse Team
How can I contact a member of the Amazon EC2 abuse team or abuse reporter?
Reply this email with the original subject line.
Amazon Web Services
Amazon Web Services LLC is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message produced and distributed by Amazon Web Services, LLC, 410 Terry Avenue North, Seattle, WA 98109-5210.
|
