Re: Question on TDS security

On 5/18/2011 9:24 AM, Todd Spindler wrote:
> Hi John,
>
> We're considering implementing a TDS on our developmental NOMADS data 
> server, to run in parallel with our current GRaDS Data Server 
> software.  I noticed a Unidata announcement from Jan 2009 that 
> mentions security upgrades done in collaboration with NOAA security 
> experts.
> http://www.unidata.ucar.edu/mailing_lists/archives/thredds/2009/msg00009.html 
>
>
> Our security guys have raised the question of vulnerabilities from 
> back in 2007 or so, and we'd like to address their concerns.  The 
> Change logs from 2009 don't give any specifics, so I was wondering if 
> you could comment on the security upgrades and the current level of 
> security in TDS/Tomcat?  Are there any particular gotchas that we need 
> to be aware of?

Hi Todd:

There are no known vulnerabilites in TDS or Tomcat. There was a problem 
with OpenDAP's CGI server in 2007, but that had nothing to do with our 
Java implementation. The Opendap protocol was not vulnerable, just that 
particular (C++) implementation. The security guy at NCDC ran our code 
through a code analyser, and we made some improvements that 
msg00009.html refers to. I can probably find some notes on that or you 
can contact him (address@hidden).

We have been slowly developing docs to help our users know what to do, 
look over the topics listed in these docs:

http://www.unidata.ucar.edu/projects/THREDDS/tech/tds4.2/tutorial/workshop2010.html
http://www.unidata.ucar.edu/projects/THREDDS/tech/tds4.2/reference/index.html

Let me know if theres anything specific I can answer.

John