Well - for those of us using Tomcat, theres a new Denial of...

[Toby Mills]

Bugger,

Tomcat V9.0.48 comes with WebFOCUS V8207.28.

[Toby Mills]

I noticed that. I was happy because I thought .48 was high enough.

The previous vulnerability was for 9.0.43, so I was hoping to get by with .48.

Ive had quite a bit of practice doing tomcat updates now.

Generally :

Use the tomcat config utility and get screenshots of the pages you are interested in. Make sure to get some copies of he Java tab - I copy/paste the Classpath (mainly youll want the path for the JDBC driver for your repository from here) as well as get a screenshot into an excel doc as I update.

Next just copy your tomcatconf into a tomcat_backupconf (or whatever you want to name it).

Now uninstall tomcat (Im on windows). Sometimes during uninstall, I get offered the chance to keep custom configurations that Ive made and sometimes I dont. If you have the chance, tell the uninstaller to leave your files alone - this will save you a step or two later.

Install your new tomcat.

Use your favorite folder / file comparison utility to copy over the contexts like /ibi_apps etc from under the catalinalocalhost from your tomcat_backup folder.

Then compare the server.xmls. By default, the AJP connector is commented out in Tomcats install. Youll want to just copy the whole AJP block from your backup server.xml into its rightful place in the new one. WebFOCUSs implementation gets around the Ghostcat vulnerability by adding the secretrequired and allowedRequestAttributesPattern settings:

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector protocol="AJP/1.3"

address="localhost"

port="8009"

redirectPort="8443"

secretRequired="false"

allowedRequestAttributesPattern=".*"

maxPostSize="-1" />

 

Its easy to miss that the default has a <-- and --> to comment out this block.

Now that Tomcats files are back, you just need to run the new tomcat config utility Tomcat9WFw.exe under the bin folder.

On windows - if you installed with an admin ID like me - I have to just browse to the d:ibitomcat folder and choose to allow mortals (such as myself with my normal windows ID) to use things in the directory. Its an easy process. Just try to use File explorer and attempt to look inside the folder. A box will pop up asking for admin credentials again and youre all set to run the config utility.

Now that your files are back, and your service configuration is matched up (mainly get your Classpath and memory set so the JDBC driver can be found for the repository), youre ready to start it up.

Thats pretty much it.

Let me know if you have any questions.

Tomcat 9 download page

Oh yeah - if your security situation requires it, you might want to go remove the ROOT context from under webapps.

[Warren Hinchliffe]

Linux seems to be so much easier

[Toby Mills]

Well - for those of us using Tomcat, theres a new Denial of service warning that came out on 10/14. Time to upgrade Tomcats again.

Heres the whole notice:

CVE-2021-42340 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache Tomcat 10.1.0-M1 to 10.1.0-M5

Apache Tomcat 10.0.0-M10 to 10.0.11

Apache Tomcat 9.0.40 to 9.0.53

Apache Tomcat 8.5.60 to 8.5.71

Description:

The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Mitigation:

Users of the affected versions should apply one of the following

mitigations:

 

 

Upgrade to Apache Tomcat 10.1.0-M6 or later

 

 

Upgrade to Apache Tomcat 10.0.12 or later

 

 

Upgrade to Apache Tomcat 9.0.54 or later

 

 

Upgrade to Apache Tomcat 8.5.72 or later