Overview

This is a one day, invitation only, security event. All Tomcat committers are invited. The purpose is to improve Tomcat security.

The event is being funded by Google who generously provided $5k to the Tomcat project to help improve security. All attendees will have one night's accommodation paid for at the CoC hotel. Include the additional night when making your reservation for CoC EU and markt will pay one night's accommodation at some point during CoC EU using the ASF credit card that has been created and linked to the $5k from Google.

Administration

Thursday 6th June 2024 (the data after CoC EU),

09.00-17.00

Venue: Atrium Lounge, Roset Hotel & Residence, Štúrova, Bratislava, Slovakia

Bratislava

Agenda

  • Introductions
  • Chris's CVE analysis: review past CVEs to identify general patterns that may apply elsewhere in the Tomcat code base
  • general discussion to identify areas where we may be able to improve things
  • split into groups based interest/experience and review the code
  • work on fixes to any potential improvements found 

Attendees

If there is anyone else you would like to invite, please start a discussion on the private@ mailing list. 

CommitterAttending Y/N
Dimitris Soumis (guest)Y

Matus Madzin (guest)

Y

Vladimir Chup (guest)

Y
potiuk (guest)
Y
engelen (guest)Y
marktY
jfclereY
schultzY
rjung

Y

remmY
mturkY
fschumacherY

Meeting Notes

Fuzzers / test suites.  Look at what is available and investigate integration into a CI build somewhere (GitHub actions, BuildBot, Gump)

  • TLS
    • TLS fuzzer
    • drwetter/testssl.sh
  • HTTP
    • Synopsys http fuzzer
    • Structured field
  • H2
    • Http2-test
    • h2spec - no longer maintained?
      • Good for protocol violations
      • jfclere - can be modified
      • Python h2 library for reproducers - flexible
  • WebSocket
    • Autobahn - receptive to fixes
    • scipag/websocket_fuzzer
    • andresriancho/websocket-fuzzer - maintained?
  • WebDAV
    • litmus
  • Misc
    • find-sec-bugs.gihub.io - no failures when run on 11.0.x
    • Coverity - automate - fix/silence issues
    • SpotBugs - add to overnight CI

Documentation

  • Provide IDE configuration for SpotBugs, Checkstyle

CVE reproducer test cases

  • Needs discussion on the dev list to decide exactly what we want to do
  • Do we use a fixed timeframe (simple) or variable (risk based). Longer delay helps enterprises that are slower to update.
  • Publish a policy
  • Can develop/track in private svn - can run tests privately

Code signing

  • Investigate DigiCert signature revocation

Migrate from BZ to GitHub issues

  • Discuss on dev list

SBOM

  • What do we include?
  • If we switched to Maven we could get this for free (but it doesn't support shading)
  • Discuss on dev list generate vs change build
  • Schultz has draft

Shading

  • BCEL - schultz looking at documenting the process to get from standard BCEL to what we need
  • DBCP, Pool, etc - shade during build rather than copy of source

Dependencies

  • Contact to make sure they are aware we use them and that the CRA is coming - solo projects fall between OSS steward and hobbyist
    • NSIS
    • BND
    • JSign

Code coverage

  • Realms probably the biggest gap
  • Manager and Host Manager have low/no coverage
  • IntrospectionUtils is quite fundamental - should probably have higher coverage
  • http2
  • Lots of 'little' gaps
  • Can we / should we remove packages from report?
  • Future GSoC project?

Secure by default

  • We need CI to be running a performance test to check for obvious regressions. Need to extract results over time. How?
  • Ensure discardFacades is true for all versions
  • processorCache (Http11Processor) == 0 is very bad for performance (approx factor of 2) but very good for security. Document this.
  • Could investigate what we could do about the above.
    • Do we need to clear if we don't need to recycle?
    • Are there some recycled objects we could just recreate?
  • Shutdown port can have unexpected behaviour if there are two instances on same machine with same settings
    • Start A, Start B, Stop B actually stops A!
    • Switch default shutdown password to ${catalina.base}
  • Review TLS settings
    • Vary by JVM
    • Document
    • Do we enable anything that all JVMs disable (TLS 1.1?)
    • Are we using the right default cipher list (check with SSLLabs)?
  • Disabled more web applications by default
    • Package was WAR and then name AAA.war.disabled
  • SecurityListener - schultz already started these threads on dev@
    • Check for writeable files that should not be
    • Anything from the Tomcat security guide
  • Remove SSI / CGI - schultz already started these threads on dev@

Next event

The majority of committers seem to be EU based. Next event likely to be most effective if EU based.

If there is a CoC next year, add on a day again. If not, before Fosdem is a likely candidate. Need to keep an eye on CoC EU plans.

Next event likely to have a different focus. More code review based. Want to look at:

  • HTTP header parsing
  • Other areas TBD

Assuming similar costs, we have sufficient funding to run two more events like this.

Accounting

DateDescriptionCC Income ($)CC Expenses ($)CC Balance ($)Cash IncomeCash ExpensesCash BalanceTotal Balance

Initial funding from Google5,000.00
5,000.00



28 Feb 2024Meeting room for June 6th 2024 - EUR380
425.374,574.63



03 Jun 2024markt accommodation - EUR 563.86
632.123,942.51474.09
474.094,416.60
04 Jun 2024remm accommodation - EUR 145.83
163.833,778.68

474.094,252.77
05 Jun 2024engelen accommodation - EUR 154.22
173.433,605.25

474.094,079.34
06 Jun 2024Lunch - EUR 270

3,605.25
303.63170.463,775.71
06 Jun 2024Dinner - EUR 214.10
240.243,365.01

170.463,535.72
  • No labels

2 Comments

  1. I would like to thank again Mark for organizing and moderating the event !