Update Tomcat per Amazon's scary-sounding notice

[wboykinm]

From AWS:

"(Please note: This message is an advisory and not an abuse report. No action or repsonse is needed.)

Hello,

It has come to our attention that there has been an increase in attacks against hosts running Apache Tomcat with default or insufficiently complex administrative credentials for the Tomcat Manager Application. If run with weak credentials, or if the installed version has a vulnerability, Tomcat can be compromised by an external attacker for use in a variety of malicious activity.

You can avoid being vulnerable to attackers by following the below best practices to increase the security of your Tomcat installation:

1. Ensure that the version of Tomcat you are using is up to date and does not have any known or unaddressed security vulnerability. You can find a list of vulnerabilities by version on the Apache Tomcat website at: http://tomcat.apache.org/security.html.
2. If you have enabled administrator or manager user accounts with access to the Tomcat Manager application (managed within the tomcat-users.xml file), ensure they are given appropriately complex passwords and difficult to guess usernames. Additional information regarding configuring access to Tomcat Manager can be found here:

• For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/manager-howto.html#Configuring_Manager_Application_Access
• For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html#Configuring_Manager_Application_Access
• For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html#Configuring_Manager_Application_Access

1. Verify that you are implementing the recommended security guidelines for your Tomcat installation. For some of the later versions, you may find the following guides helpful:

• For Tomcat 6.0, see http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html
• For Tomcat 7.0, see http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
• For Tomcat 8.0, see http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

1. Subscribe to Apache Tomcat's mailing list for the latest security updates by visiting: http://tomcat.apache.org/lists.html

Additional assistance and documentation related to AWS security best practices may be found at: http://media.amazonwebservices.com/Whitepaper_Security_Best_Practices_2010.pdf

Regards,
Amazon EC2 Abuse Team"