[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question on TDS security



On 5/18/2011 9:24 AM, Todd Spindler wrote:
Hi John,

We're considering implementing a TDS on our developmental NOMADS data server, to run in parallel with our current GRaDS Data Server software. I noticed a Unidata announcement from Jan 2009 that mentions security upgrades done in collaboration with NOAA security experts. http://www.unidata.ucar.edu/mailing_lists/archives/thredds/2009/msg00009.html

Our security guys have raised the question of vulnerabilities from back in 2007 or so, and we'd like to address their concerns. The Change logs from 2009 don't give any specifics, so I was wondering if you could comment on the security upgrades and the current level of security in TDS/Tomcat? Are there any particular gotchas that we need to be aware of?


Hi Todd:

There are no known vulnerabilites in TDS or Tomcat. There was a problem with OpenDAP's CGI server in 2007, but that had nothing to do with our Java implementation. The Opendap protocol was not vulnerable, just that particular (C++) implementation. The security guy at NCDC ran our code through a code analyser, and we made some improvements that msg00009.html refers to. I can probably find some notes on that or you can contact him (address@hidden).

We have been slowly developing docs to help our users know what to do, look over the topics listed in these docs:

http://www.unidata.ucar.edu/projects/THREDDS/tech/tds4.2/tutorial/workshop2010.html
http://www.unidata.ucar.edu/projects/THREDDS/tech/tds4.2/reference/index.html

Let me know if theres anything specific I can answer.

John