Tomcat is not vulnerable to HeartBleed out of the box.
Yes, the APR library is linked and SSLEngine is on (if you really want to, you can comment this line, or set SSLEngine to off, but you are not vulnerable even if you leave it like this).
<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />
If you look at the server.xml config file of a default tomcat deployment, it’s SSL connector uses JSSE not the APR library.
<!– Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
<Connector port=”8443″ protocol=”org.apache.coyote.http11.Http11Protocol”
maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” />
So it shouldn’t be explotable via Heartbleed. Unless you manually changed the SSL connector to use APR, I think it’s safe to say, you are not vulnerable.
A reply from Tomcat is also available on their page:
Is Tomcat 7 vulnerable to openSSL bug(HeartBleed)?
Yes, if you have been using the APR <Connector> with SSL enabled. Work is underway to include a corrected version of OpenSSL in the tcnative-1.dll binaries, but if you’ve already been hacked, changing your server keys is strongly encouraged. The issued is being tracked here: https://issues.apache.org/bugzilla/show_bug.cgi?id=56363
Also a discussion thread from attlasian:
For example see this discussion thread from Attlasian:
The application version is Apache Tomcat/6.0.32 – Servlet API 2.5.
Below is apache connector config
<Connector SSLEnabled=”true” acceptCount=”100″ clientAuth=”false” disableUploadTimeout=”true” enableLookups=”false”
keyAlias=”tomcat” keystoreFile=”C:\JIRA\.keystore” keystorePass=”xxxxxxx” maxHttpHeaderSize=”8192″
maxSpareThreads=”75″ maxThreads=”150″ minSpareThreads=”25″ port=”443″ protocol=“org.apache.coyote.http11.Http11Protocol“
scheme=”https” secure=”true” sslProtocol=”TLS” useBodyEncodingForURI=”true”/>
Vitaly Osipov [Atlassian] · 394 karma · 4 hours ago
You are fine, this configuration uses Java’s own SSL implementation.
This means that if you are using the OOTB config, which uses a JSSE connector, you should be fine.
You can check in your server.xml config file from your tomcat deployment. If you are using APR, your connector will have a protocol value of: protocol=”org.apache.coyote.http11.Http11AprProtocol”.
All you need to do until an updated Tomcat is released is switch to a JSSE connector or manually update OpenSSL.
But again, out of the box config is safe from Heart Blood dripping bugs. 🙂