Hi Brian,
Thanks for the post.
The Tomcat and jre that comes bundled with PMP are a tailored version. So most of the vulnerabilities listed in the CVE site would not be applicable as some of the config files would not be present with the builds for use. Our development team also keep track for the vulnerabilities published. These threats can be eliminated by hardening the actual server in which PMP is installed, so that not many users will have write permissions to the PMP server. Also, the below steps can be used to restrict access to the PMP webpage/webserver by white-listing the IP range. So our webserver can only be reached from this range of IP's.
- Stop the PMP Service if it is running
- Open the server.xml file present in <PMP_HOME>\conf folder
- Search for this line
- <Context path="" docBase="PassTrix" debug="0" useHttpOnly="true"/>
- Add the following line after the one shown above (replace the sample IP with your entries. The IPs / range entered here represent allowed IPs):
- <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1,192.168.212.*"/>
- Start the PMP Service
Our development team is currently working on the changes to roll out the updates for the webserver, jre and default PostGres database. We will intimate you once the new version is out. Meanwhile, if you have received any specific scan results, feel free to send it to passwordmanagerpro-support@manageengine.com. We will respond to the items with more detailed descriptions about the implications.
Thanks & Regards,
Ganesh
Ganesh
[Technical Consultant | Password Manager Pro]
