Re: Tomcat 7/8/9 context path restrictions/validation

2017-09-20 Thread Guang Chao 
On Wed, Sep 20, 2017 at 5:47 PM, Konstantin Ryadov 
wrote:

>
> Hello!
> Could you explain context path (e.g. described on
> https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set
> in server.xml limitations?
> Does it exist any context path validation (unescaped symbols, whitespaces
> and so on)?
> Is first “/” always required in context path value? What is the difference
> between value with first “/” and without?
>

I have not checked before, but I assume white spaces and special characters
are not ok.


> Ps
> I found "All of the context paths within a particular Host must be
> unique." only in documentation.
>
>
>


-- 
Guang

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas 
Update:

We believe we have a set of patches [1],[2] that addresses this for
9.0.x. The plan is to give folks ~12 hours to review the proposed
patches and then back-port the patches, tag and release.

Further analysis has not identified any additional attack vectors or
risks associated with this vulnerability.

The recommended mitigations remain unchanged.

Mark


[1] http://svn.apache.org/viewvc?rev=1809011=rev
[2] http://svn.apache.org/viewvc?rev=1809025=rev


On 20/09/17 13:20, Mark Thomas wrote:
> Update:
> 
> The issue has been confirmed.
> 
> CVE-2017-12617 has been allocated.
> 
> The issue is not limited to PUT requests. For the Default servlet,
> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
> COPY are believed to be affected.
> 
> The RCE via JSP upload using PUT is still believed to be the most severe
> impact of this vulnerability.
> 
> The recommended mitigations remain unchanged.
> 
> Mark
> 
> 
> On 20/09/17 09:25, Mark Thomas wrote:
>> All,
>>
>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>> Security Team has received multiple reports that a similar vulnerability
>> exists in all current Tomcat versions and affects all operating systems.
>>
>> Unfortunately, one of these reports was made via the public bug tracker
>> [2] rather than responsibly via the Tomcat Security Team's private
>> mailing list [3].
>>
>> We have not yet completed our investigation of these reports but, based
>> on the volume, and our initial investigation they appear to be valid.
>>
>> From an initial analysis of the reports received, the vulnerability only
>> affects the following configurations:
>>
>> Default Servlet
>> - Default Servlet configured with readonly="false"
>>   AND
>> - Untrusted users are permitted to perform HTTP PUT requests
>>
>> WebDAV Servlet
>> - WebDAV Servlet configured with readonly="false"
>>   AND
>> - Untrusted users are permitted to perform HTTP PUT requests
>>   AND
>> - The documented advice not to map the WebDAV servlet as the Default
>>   servlet has been ignored
>>
>> Please note that:
>>  - The WebDAV servlet is disabled by default
>>  - The default value for the readonly parameter is true for both the
>>Default servlet and the WebDAV servlet
>>
>> Therefore, a default Tomcat installation is not affected by this
>> potential vulnerability.
>>
>> Based on our understanding to date, the potential vulnerability may be
>> mitigated by any of the following:
>> - setting readonly to true for the Default servlet and WebDAV servlet
>> - blocking HTTP methods that permit resource modification for untrusted
>>   users
>>
>> We will provide updates to the community as our investigation of these
>> reports continues.
>>
>> Mark
>> on behalf of the Apache Tomcat Security Team
>>
>>
>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>> [3] http://tomcat.apache.org/security.html
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

2017-09-20 Thread tomcat 

On 20.09.2017 17:07, John Ellis wrote:

All of what I have done so far has been in Tomcat version 9, which I
downloaded from the Apache Tomcat website. The way I start tomcat is by
running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin
directory. I stop it by running the command ./shutdown.sh from the same
directory.



Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml 
file. And since this is a "standard tomcat", that server.xml must be in .. let me look at 
the logfile again) ..


08-Sep-2017 10:05:02.911 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory 
[/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT]


so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml

and considering this :
08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError 
Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed 
character data or markup.
 org.xml.sax.SAXParseException; systemId: 
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 
6; The content of elements must consist of well-formed character data or markup.


there is something on line 87, position 6, that he does not like.

And further down also :
08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError 
Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments.
 org.xml.sax.SAXParseException; systemId: 
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 
6; The string "--" is not permitted within comments.


but maybe this is not in the server.xml file itself, but in something else that the 
server.xml references there (like an external "XML entity" or something).


Why don't you get those 2 lines from your server.xml and paste them here :

...






John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, September 20, 2017 10:02 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 20.09.2017 15:20, John Ellis wrote:

Andre can you tell me which log file you are saying tells where the
problem is?


That's the one you uploaded to the dropbox :
  >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

I have of course no idea at this point, which tomcat or which server.xml
this was related to, but i suppose you do.

I am not seeing it but I may not be even looking for the right thing. I

did open the server.xml file up in an XML file editor program and it
didn't give any errors.


Then it must be that this tomcat who wrote the logfile, is not looking at
the same server.xml file than the one you're looking at.
(Or else your XML file editor is not really good)

How do you start this tomcat, on your server ?
And where did you get this tomcat from ? Is it the one from the tomcat
website ?



John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Tuesday, September 19, 2017 3:47 PM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 19.09.2017 20:17, John Ellis wrote:

Here are the tomcat 9 log file DropBox links-

https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=
0


Well, there you go. It tells you explicitly where you made the
mistakes, up to the file and line  numbers.
I can't see your server.xml, but I would bet that you have modified
it, by surrounding some XML comment sections by another comment pair
 That crashes because XML does not allow that.
You cannot have this kind of thing :

  -->




https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-0
9
-19.txt?dl=0

Thanks,

John Ellis

405.285.2500 office

United States

bize-logo-rgb-original_Ryan_Revised_portal
sizecid:image002.jpg@01CECFDA.65B42CD0

http://biz-e.io

*From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com]
*Sent:* Tuesday, September 19, 2017 11:10 AM
*To:* users@tomcat.apache.org
*Subject:* Re: tomcat ssl setup

Do you see what's on the log files, they can tell you what's the
problem in. Maybe you can share those files too.

I also saw on line 117 this "|  -->|"  Looks like there's left over.

On 09/19/2017 09:31 AM, John Ellis wrote:

  I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL
(version

6.4) server for

  testing purposes. I downloaded & installed Tomcat9 fine and I
get a

proper webpage on

  port 8080 but when I used the keytool commands and created a

certificate from

  cacert.org and then edited the server.xml file to setup the ssl

configuration to run

  on port 8443 I cannot get a webpage on that port; it defaults
back to

port 8080. If I

  am not providing all the needed info or asking a wrong question
please

forgive me. I

  am not a

RE: tomcat ssl setup

2017-09-20 Thread John Ellis 
All of what I have done so far has been in Tomcat version 9, which I
downloaded from the Apache Tomcat website. The way I start tomcat is by
running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin
directory. I stop it by running the command ./shutdown.sh from the same
directory.

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Wednesday, September 20, 2017 10:02 AM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 20.09.2017 15:20, John Ellis wrote:
> Andre can you tell me which log file you are saying tells where the 
> problem is?

That's the one you uploaded to the dropbox :
 >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

I have of course no idea at this point, which tomcat or which server.xml
this was related to, but i suppose you do.

I am not seeing it but I may not be even looking for the right thing. I
> did open the server.xml file up in an XML file editor program and it 
> didn't give any errors.

Then it must be that this tomcat who wrote the logfile, is not looking at
the same server.xml file than the one you're looking at.
(Or else your XML file editor is not really good)

How do you start this tomcat, on your server ?
And where did you get this tomcat from ? Is it the one from the tomcat
website ?

>
> John Ellis
>
> 405.285.2500 office
>
>
>
>
> http://biz-e.io
>
>
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Tuesday, September 19, 2017 3:47 PM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
>
> On 19.09.2017 20:17, John Ellis wrote:
>> Here are the tomcat 9 log file DropBox links-
>>
>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=
>> 0
>
> Well, there you go. It tells you explicitly where you made the 
> mistakes, up to the file and line  numbers.
> I can't see your server.xml, but I would bet that you have modified 
> it, by surrounding some XML comment sections by another comment pair 
>  That crashes because XML does not allow that.
> You cannot have this kind of thing :
>
>   -->
>
>
>>
>> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-0
>> 9
>> -19.txt?dl=0
>>
>> Thanks,
>>
>> John Ellis
>>
>> 405.285.2500 office
>>
>> United States
>>
>> bize-logo-rgb-original_Ryan_Revised_portal
>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>
>> http://biz-e.io
>>
>> *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com]
>> *Sent:* Tuesday, September 19, 2017 11:10 AM
>> *To:* users@tomcat.apache.org
>> *Subject:* Re: tomcat ssl setup
>>
>> Do you see what's on the log files, they can tell you what's the 
>> problem in. Maybe you can share those files too.
>>
>> I also saw on line 117 this "|  -->|"  Looks like there's left over.
>>
>> On 09/19/2017 09:31 AM, John Ellis wrote:
>>
>>  I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL 
>> (version
> 6.4) server for
>>  testing purposes. I downloaded & installed Tomcat9 fine and I 
>> get a
> proper webpage on
>>  port 8080 but when I used the keytool commands and created a
> certificate from
>>  cacert.org and then edited the server.xml file to setup the ssl
> configuration to run
>>  on port 8443 I cannot get a webpage on that port; it defaults 
>> back to
> port 8080. If I
>>  am not providing all the needed info or asking a wrong question 
>> please
> forgive me. I
>>  am not a programmer. My background is in computer hardware. I 
>> have
> just been forced to
>>  learn this to support two products that we use here in our 
>> office;
> Jira and
>>  Confluence. I have actually been working on setting them up for 
>> an SSL
> connection on a
>>  different server. I got Confluence working on a secure port but 
>> not
> Jira so my boss
>>  suggested troubleshooting the issue by trying to first get SSL 
>> setup
> for Tomcat on
>>  this other server.
>>
>>  I am providing a copy of the Tomcat9 server.sml file here on a 
>> DropBox
> link-
>>  https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0
>>
>>  Thanks in advance!
>>
>>  John Ellis
>>
>>  405.285.2500 office
>>
>>  United States
>>
>>  bize-logo-rgb-original_Ryan_Revised_portal
>> sizecid:image002.jpg@01CECFDA.65B42CD0
>>
>>  http://biz-e.io
>>
>> --
>>
>>
>>
>> Alejandro Vargas Mayorga
>> */Gerente Desarrollo C.A. & C./*
>> *Tel. 506- 7232-3366*
>> *Email:**alejandro.var...@kymsolutions.com*
>> *
>> **www.kymsolutions.com* * Visite 
>> nuestra aula virtual! *
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> -
> To unsubscribe,

Re: tomcat ssl setup

2017-09-20 Thread tomcat 

On 20.09.2017 15:20, John Ellis wrote:

Andre can you tell me which log file you are saying tells where the problem
is?


That's the one you uploaded to the dropbox :
>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

I have of course no idea at this point, which tomcat or which server.xml this was related 
to, but i suppose you do.


I am not seeing it but I may not be even looking for the right thing. I

did open the server.xml file up in an XML file editor program and it didn't
give any errors.


Then it must be that this tomcat who wrote the logfile, is not looking at the same 
server.xml file than the one you're looking at.

(Or else your XML file editor is not really good)

How do you start this tomcat, on your server ?
And where did you get this tomcat from ? Is it the one from the tomcat website ?



John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Tuesday, September 19, 2017 3:47 PM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 19.09.2017 20:17, John Ellis wrote:

Here are the tomcat 9 log file DropBox links-

https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0


Well, there you go. It tells you explicitly where you made the mistakes, up
to the file and line  numbers.
I can't see your server.xml, but I would bet that you have modified it, by
surrounding some XML comment sections by another comment pair 
That crashes because XML does not allow that.
You cannot have this kind of thing :

  -->




https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09
-19.txt?dl=0

Thanks,

John Ellis

405.285.2500 office

United States

bize-logo-rgb-original_Ryan_Revised_portal
sizecid:image002.jpg@01CECFDA.65B42CD0

http://biz-e.io

*From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com]
*Sent:* Tuesday, September 19, 2017 11:10 AM
*To:* users@tomcat.apache.org
*Subject:* Re: tomcat ssl setup

Do you see what's on the log files, they can tell you what's the
problem in. Maybe you can share those files too.

I also saw on line 117 this "|  -->|"  Looks like there's left over.

On 09/19/2017 09:31 AM, John Ellis wrote:

 I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version

6.4) server for

 testing purposes. I downloaded & installed Tomcat9 fine and I get a

proper webpage on

 port 8080 but when I used the keytool commands and created a

certificate from

 cacert.org and then edited the server.xml file to setup the ssl

configuration to run

 on port 8443 I cannot get a webpage on that port; it defaults back to

port 8080. If I

 am not providing all the needed info or asking a wrong question please

forgive me. I

 am not a programmer. My background is in computer hardware. I have

just been forced to

 learn this to support two products that we use here in our office;

Jira and

 Confluence. I have actually been working on setting them up for an SSL

connection on a

 different server. I got Confluence working on a secure port but not

Jira so my boss

 suggested troubleshooting the issue by trying to first get SSL setup

for Tomcat on

 this other server.

 I am providing a copy of the Tomcat9 server.sml file here on a DropBox

link-

 https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0

 Thanks in advance!

 John Ellis

 405.285.2500 office

 United States

 bize-logo-rgb-original_Ryan_Revised_portal
sizecid:image002.jpg@01CECFDA.65B42CD0

 http://biz-e.io

--



Alejandro Vargas Mayorga
*/Gerente Desarrollo C.A. & C./*
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com*
*
**www.kymsolutions.com* * Visite nuestra
aula virtual! *




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-20 Thread John Ellis 
Andre can you tell me which log file you are saying tells where the problem
is? I am not seeing it but I may not be even looking for the right thing. I
did open the server.xml file up in an XML file editor program and it didn't
give any errors. 

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Tuesday, September 19, 2017 3:47 PM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 19.09.2017 20:17, John Ellis wrote:
> Here are the tomcat 9 log file DropBox links-
>
> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

Well, there you go. It tells you explicitly where you made the mistakes, up
to the file and line  numbers.
I can't see your server.xml, but I would bet that you have modified it, by
surrounding some XML comment sections by another comment pair 
That crashes because XML does not allow that.
You cannot have this kind of thing :

  -->


>
> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09
> -19.txt?dl=0
>
> Thanks,
>
> John Ellis
>
> 405.285.2500 office
>
> United States
>
> bize-logo-rgb-original_Ryan_Revised_portal 
> sizecid:image002.jpg@01CECFDA.65B42CD0
>
> http://biz-e.io
>
> *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com]
> *Sent:* Tuesday, September 19, 2017 11:10 AM
> *To:* users@tomcat.apache.org
> *Subject:* Re: tomcat ssl setup
>
> Do you see what's on the log files, they can tell you what's the 
> problem in. Maybe you can share those files too.
>
> I also saw on line 117 this "|  -->|"  Looks like there's left over.
>
> On 09/19/2017 09:31 AM, John Ellis wrote:
>
> I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version
6.4) server for
> testing purposes. I downloaded & installed Tomcat9 fine and I get a
proper webpage on
> port 8080 but when I used the keytool commands and created a
certificate from
> cacert.org and then edited the server.xml file to setup the ssl
configuration to run
> on port 8443 I cannot get a webpage on that port; it defaults back to
port 8080. If I
> am not providing all the needed info or asking a wrong question please
forgive me. I
> am not a programmer. My background is in computer hardware. I have
just been forced to
> learn this to support two products that we use here in our office;
Jira and
> Confluence. I have actually been working on setting them up for an SSL
connection on a
> different server. I got Confluence working on a secure port but not
Jira so my boss
> suggested troubleshooting the issue by trying to first get SSL setup
for Tomcat on
> this other server.
>
> I am providing a copy of the Tomcat9 server.sml file here on a DropBox
link-
> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0
>
> Thanks in advance!
>
> John Ellis
>
> 405.285.2500 office
>
> United States
>
> bize-logo-rgb-original_Ryan_Revised_portal 
> sizecid:image002.jpg@01CECFDA.65B42CD0
>
> http://biz-e.io
>
> --
>
>
>
> Alejandro Vargas Mayorga
> */Gerente Desarrollo C.A. & C./*
> *Tel. 506- 7232-3366*
> *Email:**alejandro.var...@kymsolutions.com* 
> *
> **www.kymsolutions.com* * Visite nuestra 
> aula virtual! *
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-20 Thread John Ellis 
The Dropbox link to the tomcat server.xml file is back in this email thread.

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Tuesday, September 19, 2017 3:47 PM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

On 19.09.2017 20:17, John Ellis wrote:
> Here are the tomcat 9 log file DropBox links-
>
> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0

Well, there you go. It tells you explicitly where you made the mistakes, up
to the file and line  numbers.
I can't see your server.xml, but I would bet that you have modified it, by
surrounding some XML comment sections by another comment pair 
That crashes because XML does not allow that.
You cannot have this kind of thing :

  -->


>
> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09
> -19.txt?dl=0
>
> Thanks,
>
> John Ellis
>
> 405.285.2500 office
>
> United States
>
> bize-logo-rgb-original_Ryan_Revised_portal 
> sizecid:image002.jpg@01CECFDA.65B42CD0
>
> http://biz-e.io
>
> *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com]
> *Sent:* Tuesday, September 19, 2017 11:10 AM
> *To:* users@tomcat.apache.org
> *Subject:* Re: tomcat ssl setup
>
> Do you see what's on the log files, they can tell you what's the 
> problem in. Maybe you can share those files too.
>
> I also saw on line 117 this "|  -->|"  Looks like there's left over.
>
> On 09/19/2017 09:31 AM, John Ellis wrote:
>
> I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version
6.4) server for
> testing purposes. I downloaded & installed Tomcat9 fine and I get a
proper webpage on
> port 8080 but when I used the keytool commands and created a
certificate from
> cacert.org and then edited the server.xml file to setup the ssl
configuration to run
> on port 8443 I cannot get a webpage on that port; it defaults back to
port 8080. If I
> am not providing all the needed info or asking a wrong question please
forgive me. I
> am not a programmer. My background is in computer hardware. I have
just been forced to
> learn this to support two products that we use here in our office;
Jira and
> Confluence. I have actually been working on setting them up for an SSL
connection on a
> different server. I got Confluence working on a secure port but not
Jira so my boss
> suggested troubleshooting the issue by trying to first get SSL setup
for Tomcat on
> this other server.
>
> I am providing a copy of the Tomcat9 server.sml file here on a DropBox
link-
> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0
>
> Thanks in advance!
>
> John Ellis
>
> 405.285.2500 office
>
> United States
>
> bize-logo-rgb-original_Ryan_Revised_portal 
> sizecid:image002.jpg@01CECFDA.65B42CD0
>
> http://biz-e.io
>
> --
>
>
>
> Alejandro Vargas Mayorga
> */Gerente Desarrollo C.A. & C./*
> *Tel. 506- 7232-3366*
> *Email:**alejandro.var...@kymsolutions.com* 
> *
> **www.kymsolutions.com* * Visite nuestra 
> aula virtual! *
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas 
Update:

The issue has been confirmed.

CVE-2017-12617 has been allocated.

The issue is not limited to PUT requests. For the Default servlet,
DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
COPY are believed to be affected.

The RCE via JSP upload using PUT is still believed to be the most severe
impact of this vulnerability.

The recommended mitigations remain unchanged.

Mark


On 20/09/17 09:25, Mark Thomas wrote:
> All,
> 
> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
> Security Team has received multiple reports that a similar vulnerability
> exists in all current Tomcat versions and affects all operating systems.
> 
> Unfortunately, one of these reports was made via the public bug tracker
> [2] rather than responsibly via the Tomcat Security Team's private
> mailing list [3].
> 
> We have not yet completed our investigation of these reports but, based
> on the volume, and our initial investigation they appear to be valid.
> 
> From an initial analysis of the reports received, the vulnerability only
> affects the following configurations:
> 
> Default Servlet
> - Default Servlet configured with readonly="false"
>   AND
> - Untrusted users are permitted to perform HTTP PUT requests
> 
> WebDAV Servlet
> - WebDAV Servlet configured with readonly="false"
>   AND
> - Untrusted users are permitted to perform HTTP PUT requests
>   AND
> - The documented advice not to map the WebDAV servlet as the Default
>   servlet has been ignored
> 
> Please note that:
>  - The WebDAV servlet is disabled by default
>  - The default value for the readonly parameter is true for both the
>Default servlet and the WebDAV servlet
> 
> Therefore, a default Tomcat installation is not affected by this
> potential vulnerability.
> 
> Based on our understanding to date, the potential vulnerability may be
> mitigated by any of the following:
> - setting readonly to true for the Default servlet and WebDAV servlet
> - blocking HTTP methods that permit resource modification for untrusted
>   users
> 
> We will provide updates to the community as our investigation of these
> reports continues.
> 
> Mark
> on behalf of the Apache Tomcat Security Team
> 
> 
> [1] http://markmail.org/message/xqfchebiy6fjmvjz
> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
> [3] http://tomcat.apache.org/security.html
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

startStopThreads="0" and thread safety issues with SAXParser / Xerces

2017-09-20 Thread Torsten Krah 
Hi,

i've enabled startStopThreads="0" to increase bootstrap time of my
servlet container using tomcat 8.5.15 and jdk 1.8.0_131-b11.
Sometimes - not every time - i've got something like that when the
entity manager factory is created from the context initialized callback:


##

 javax.persistence.PersistenceException: [PersistenceUnit: welcome]
Unable to build Hibernate SessionFactory
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.persistenceException(EntityManagerFactoryBuilderImpl.java:967)
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:892)
at
org.hibernate.jpa.HibernatePersistenceProvider.createEntityManagerFactory(HibernatePersistenceProvider.java:58)
at
javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:55)
at
com.google.inject.persist.jpa.JpaPersistService.start(JpaPersistService.java:107)
at my.custom.Listener.contextInitialized(BootstrapListener.java:82)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4745)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5207)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952)
at org.apache.catalina.startup.HostConfig
$DeployWar.run(HostConfig.java:1823)
at java.util.concurrent.Executors
$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor
$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.hibernate.service.spi.ServiceException: Unable to create
requested service [org.hibernate.engine.spi.CacheImplementor]
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:271)
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:233)
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:210)
at
org.hibernate.service.internal.SessionFactoryServiceRegistryImpl.getService(SessionFactoryServiceRegistryImpl.java:77)
at
org.hibernate.internal.SessionFactoryImpl.(SessionFactoryImpl.java:240)
at
org.hibernate.boot.internal.SessionFactoryBuilderImpl.build(SessionFactoryBuilderImpl.java:445)
at
org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:889)
... 18 more
Caused by: javax.cache.CacheException:
org.ehcache.xml.exceptions.XmlConfigurationException: Error parsing XML
configuration at classpath:hibernate-ehcache.xml
at org.ehcache.jsr107.EhcacheCachingProvider
$ConfigSupplier.getConfiguration(EhcacheCachingProvider.java:330)
at
org.ehcache.jsr107.EhcacheCachingProvider.getCacheManager(EhcacheCachingProvider.java:127)
at
org.ehcache.jsr107.EhcacheCachingProvider.getCacheManager(EhcacheCachingProvider.java:78)
at
org.ehcache.jsr107.EhcacheCachingProvider.getCacheManager(EhcacheCachingProvider.java:186)
at
org.hibernate.cache.jcache.JCacheRegionFactory.getCacheManager(JCacheRegionFactory.java:177)
at
org.hibernate.cache.jcache.JCacheRegionFactory.start(JCacheRegionFactory.java:68)
at org.hibernate.cache.spi.RegionFactory.start(RegionFactory.java:63)
at org.hibernate.internal.CacheImpl.(CacheImpl.java:71)
at
org.hibernate.engine.spi.CacheInitiator.initiateService(CacheInitiator.java:28)
at
org.hibernate.engine.spi.CacheInitiator.initiateService(CacheInitiator.java:20)
at
org.hibernate.service.internal.SessionFactoryServiceRegistryImpl.initiateService(SessionFactoryServiceRegistryImpl.java:58)
at
org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:259)
... 24 more
Caused by: org.ehcache.xml.exceptions.XmlConfigurationException: Error
parsing XML configuration at classpath:hibernate-ehcache.xml
at org.ehcache.xml.XmlConfiguration.(XmlConfiguration.java:167)
at org.ehcache.xml.XmlConfiguration.(XmlConfiguration.java:131)
at org.ehcache.jsr107.EhcacheCachingProvider
$ConfigSupplier.getConfiguration(EhcacheCachingProvider.java:327)
... 35 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 476;

Tomcat 7/8/9 context path restrictions/validation

2017-09-20 Thread Konstantin Ryadov 

Hello!
Could you explain context path (e.g. described on  
https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set in 
server.xml limitations?
Does it exist any context path validation (unescaped symbols, whitespaces and 
so on)?
Is first “/” always required in context path value? What is the difference 
between value with first “/” and without?
 
Ps
I found "All of the context paths within a particular Host must be unique." 
only in documentation.

[SECURITY] Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas 
All,

Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.

Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].

We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.

>From an initial analysis of the reports received, the vulnerability only
affects the following configurations:

Default Servlet
- Default Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests

WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests
  AND
- The documented advice not to map the WebDAV servlet as the Default
  servlet has been ignored

Please note that:
 - The WebDAV servlet is disabled by default
 - The default value for the readonly parameter is true for both the
   Default servlet and the WebDAV servlet

Therefore, a default Tomcat installation is not affected by this
potential vulnerability.

Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
  users

We will provide updates to the community as our investigation of these
reports continues.

Mark
on behalf of the Apache Tomcat Security Team


[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-20 Thread Mark Thomas 
On 19/09/17 14:10, Mark Thomas wrote:
> On 19/09/17 14:00, André Warnier (tomcat) wrote:
>> Hello.
>>
>> Did the issue below also affect the DAV application ?
> 
> Yes, as the WebDAV servlet also processes HTTP PUT requests.
> 
> The WebDAV servlet extends the Default servlet so they actually share
> the implementation.

Thinking about this a little more, it will depend on how the WebDAV
servlet is mapped. While there is a configuration where this would be an
issue for WebDAV, I don't think it is one that would normally be used.

Mark


> 
>> And if yes, also only under Windows ?
> 
> Yes. This is, as far as we can tell, Windows specific.
> 
> HTH,
> 
> Mark
> 
> 
>>
>>  Forwarded Message 
>> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
>> via JSP upload
>> Date: Tue, 19 Sep 2017 11:58:44 +0100
>> From: Mark Thomas 
>> Reply-To: Tomcat Users List 
>> To: Tomcat Users List 
>> CC: annou...@tomcat.apache.org ,
>> annou...@apache.org, Tomcat Developers List 
>>
>> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 7.0.0 to 7.0.79
>>
>> Description:
>> When running on Windows with HTTP PUTs enabled (e.g. via setting the
>> readonly initialisation parameter of the Default to false) it was
>> possible to upload a JSP file to the server via a specially crafted
>> request. This JSP could then be requested and any code it contained
>> would be executed by the server.
>>
>> Mitigation:
>> Users of the affected versions should apply one of the following
>> mitigations:
>> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>>
>> Credit:
>> This issue was reported responsibly to the Apache Tomcat Security Team
>> by iswin from 360-sg-lab (360观星实验室)
>>
>> History:
>> 2017-09-19 Original advisory
>>
>> References:
>> [1] http://tomcat.apache.org/security-7.html
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org