Closed fishpm-anu closed 10 months ago
fishpm-anu
commented
10 months ago BTW if I go into the running container germinate and make the change myself in server.xml how do I restart tomcat? It's a temporary fix I know. I see no systemctl or service for it.
sebastian-raubach
commented
10 months ago Thanks for reporting this. I've looked at a few options and I think I found one I'm happy with. I'll start experimenting and will include a fix in the next release.
In the meantime: Yes, you can make temporary changes to a file within the running docker image. As you mentioned though, these will be lost on restart. To mitigate this, what you can do is take a copy of the server.xml file from outside the container like
docker cp <DOCKER_IMAGE_NAME>:/usr/local/tomcat/conf/server.xml ./server.xmlThen make the required changes to that server.xml.
You can then modify your docker-compose.yml file (assuming that's how you run Germinate) and add the following mapping under volumes:
- type: bind
source: ./server.xml
target: /usr/local/tomcat/conf/server.xmlThis will bind your external server.xml file into the Germinate docker container.
For Gatekeeper, repeat the process.
fishpm-anu
commented
10 months ago that's great thanks Sebastian I will try that and look forward to the new version on dockerhub.
sebastian-raubach
commented
10 months ago A new version (v4.7.1) of both Germinate and Gatekeeper has been released. Both include measures to limit exposure of Tomcat-internal information.
fishpm-anu
commented
10 months ago Can I ask, if I move from docker version 4.6.0 to 4.7.1 is there anything I need to do besides just changing the image from 4.6.0 to 4.7.1 and docker compose down and up? ie like a manual DB upgrade, config file changes etc..
sebastian-raubach
commented
10 months ago Can I ask, if I move from docker version 4.6.0 to 4.7.1 is there anything I need to do besides just changing the image from 4.6.0 to 4.7.1 and docker compose down and up? ie like a manual DB upgrade, config file changes etc..
Nothing is required from your end other than changing the version number in the docker-compose.yml, then stopping, pulling and starting the containers.
Any database or structure upgrades are performed automatically when Germinate starts back up.
I setup your germinate server and gatekeeper via your docker sample implementation. The server will need to be a public facing website so the academics can collaborate. Our IT security team scanned the site to check for issues before allowing it to be public. One issue that they said needed to be fixed to allow it to be public facing was,
Stack Trace Disclosure (Java) tomcat. An attacker can obtain information such as: Tomcat version. Physical file path of Tomcat files. Information about the generated exception. This information might help an attacker gain more information and potentially focus on the development of further attacks to the target system. Research indicated that the following needed to be done on the app,
server.xmlfile in your Tomcat installation directory.<Host>section and add the following line inside it:<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />Could this change be made so the tomcat app on both germinate and gatekeeper does not reveal errors and reports? You may want to check if that's the best option to address the Stack Trace Disclosure issue in tomcat-java.
the scan was created with 23.12.0.43017-release_is-23.12.0-2427fdc https://www.invicti.com