Hi,
I'm running ipa-server 4.8.7-13 on Centos 8.3.
My security scanning software is lighting up with a lot of warnings about my FreeIPA
servers - specifically Apache Tomcat vulnerabilities exposed on the PKI-Tomcat ports -
8080/8443. It is detecting v9.0.30, and seemingly has a different list of vulnerabilities
for each version below 9.0.43 that the service is vulnerable to.
Firstly, is the detection accurate? How can I determine the tomcat version in use here? If
the detection is correct, has this dependency been upgraded/is in the process of
upgrading?
Secondly, why are these ports exposed at all? It seems that the server.xml defines AJP
listening on port localhost:8009, which is what Apache forwards requests to. However this
port simply forwards on to 8443 which is listening publicly, and we also have 8080
listening publicly. As far as I can see from documentation connectivity to these endpoints
should not be needed.
Thirdly, how can I configure pki-tomcat to not listen on these ports? I've tried
editing the connectors in /etc/pki/pki-tomcat/server.xml but the pki-tomcatd service fails
on restart - presumably an ipa service somewhere is configured to connect to the
FQDN/external IP rather than localhost. Error is ` ipa-pki-wait-running: Connection
failed: HTTPConnectionPool(host='my.fqdn.com', port=8080): Max retries exceeded
with url: /ca/admin/ca/getStatus (Caused by NewConnectionErr`. I'm aware I could
firewall off the ports, but I'd rather they weren't listening in the first place.
The only reference I've been able to find is the bug here
https://github.com/dogtagpki/pki/issues/2748 - but this seems unresolved, and only refers
to installation as oppose to modifying an existing install.
Thanks!
Jake