[SECURITY] CVE-2022-34305 Apache Tomcat - XSS in examples web application
CVE-2022-34305 Apache Tomcat - XSS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M16 Apache Tomcat 10.0.0-M1 to 10.0.22 Apache Tomcat 9.0.30 to 9.0.64 Apache Tomcat 8.5.50 to 8.5.81 Description: The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Remove the examples web application as documented in the Tomcat security guide - Upgrade to Apache Tomcat 10.1.0-M17 or later once released - Upgrade to Apache Tomcat 10.0.23 or later once released - Upgrade to Apache Tomcat 9.0.65 or later once released - Upgrade to Apache Tomcat 8.5.82 or later once released History: 2022-06-23 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
thx, switching to v9 solves the problems :-) Am Do., 23. Juni 2022 um 09:12 Uhr schrieb Rob Sargent < rsarg...@xmission.com>: > > > > On Jun 23, 2022, at 12:53 AM, Markus Reich > wrote: > > > > yes, it seems that in the pom tomcat 10 is specified, does this make any > > difference? > > 10.0.18 > > > >> Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < > >> rsarg...@xmission.com>: > >> > >> > > Yes. Quite big difference between v9 and v10. > You must read the release notes. And your initial post mentions a v9 doc > page. Stick with a single tomcat release > >> > >>> On Jun 22, 2022, at 11:36 PM, Markus Reich > >> wrote: > >>> > >>> Hi, > >>> > >>> I'm trying to precompile a JSF application, I follow the instructions > on > >>> https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > >>> > >>> I got a lot of errors like > >>> Caused by: java.lang.ClassCastException: class > >>> com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > >>> jakarta.servlet.jsp.tagext.TagLibraryValidator > >>> (com.sun.faces.taglib.jsf_core.CoreValidator and > >>> jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of > >>> loader org.apache.tools.ant.AntClassLoader > >>> > >>> The header in JSP is > >>> <%@page contentType="text/html"%> > >>> <%@page pageEncoding="UTF-8"%> > >>> > >>> <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > >>> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > >>> > >>> <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > >>> > >>> regards > >>> Meex > >> > >> Are you sure you haven’t included something from Tomcat v10? > >> > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > -- > > *Markus Reich* > > Waldweg 62 > > 6393 St. Ulrich am Pillersee > > reich.mar...@gmail.com > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Markus Reich* Waldweg 62 6393 St. Ulrich am Pillersee reich.mar...@gmail.com
AW: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
Hello, > -Ursprüngliche Nachricht- > Von: Markus Reich > Gesendet: Donnerstag, 23. Juni 2022 08:53 > An: Tomcat Users List > Betreff: Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat > stuffed) > > yes, it seems that in the pom tomcat 10 is specified, does this make any > difference? > 10.0.18 > > Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < > rsarg...@xmission.com>: > > > > > > > > On Jun 22, 2022, at 11:36 PM, Markus Reich > > wrote: > > > > > > Hi, > > > > > > I'm trying to precompile a JSF application, I follow the > > > instructions on https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > > > > > > I got a lot of errors like > > > Caused by: java.lang.ClassCastException: class > > > com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > > > jakarta.servlet.jsp.tagext.TagLibraryValidator > > > (com.sun.faces.taglib.jsf_core.CoreValidator and > > > jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module > > > of loader org.apache.tools.ant.AntClassLoader > > > > > > The header in JSP is > > > <%@page contentType="text/html"%> > > > <%@page pageEncoding="UTF-8"%> > > > > > > <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > > > <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > > > > > > <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > > > > > > regards > > > Meex > > > > Are you sure you haven’t included something from Tomcat v10? > > Java EE changed to Jakarta EE because of some legal issues about naming. Many packages changed, like javax and sun. The new packages contain "Jakarta" now. Maybe this helps to determine whether it’s a new or old package. Because of all the dependencies it can be quite exhaustive to figure out the old packages and check whether new ones are available. Greetings, Thomas
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
> On Jun 23, 2022, at 12:53 AM, Markus Reich wrote: > > yes, it seems that in the pom tomcat 10 is specified, does this make any > difference? > 10.0.18 > >> Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < >> rsarg...@xmission.com>: >> >> Yes. Quite big difference between v9 and v10. You must read the release notes. And your initial post mentions a v9 doc page. Stick with a single tomcat release >> >>> On Jun 22, 2022, at 11:36 PM, Markus Reich >> wrote: >>> >>> Hi, >>> >>> I'm trying to precompile a JSF application, I follow the instructions on >>> https://tomcat.apache.org/tomcat-9.0-doc/graal.html. >>> >>> I got a lot of errors like >>> Caused by: java.lang.ClassCastException: class >>> com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class >>> jakarta.servlet.jsp.tagext.TagLibraryValidator >>> (com.sun.faces.taglib.jsf_core.CoreValidator and >>> jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of >>> loader org.apache.tools.ant.AntClassLoader >>> >>> The header in JSP is >>> <%@page contentType="text/html"%> >>> <%@page pageEncoding="UTF-8"%> >>> >>> <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> >>> <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> >>> >>> <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> >>> >>> regards >>> Meex >> >> Are you sure you haven’t included something from Tomcat v10? >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -- > *Markus Reich* > Waldweg 62 > 6393 St. Ulrich am Pillersee > reich.mar...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
yes, it seems that in the pom tomcat 10 is specified, does this make any difference? 10.0.18 Am Do., 23. Juni 2022 um 08:30 Uhr schrieb Rob Sargent < rsarg...@xmission.com>: > > > > On Jun 22, 2022, at 11:36 PM, Markus Reich > wrote: > > > > Hi, > > > > I'm trying to precompile a JSF application, I follow the instructions on > > https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > > > > I got a lot of errors like > > Caused by: java.lang.ClassCastException: class > > com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > > jakarta.servlet.jsp.tagext.TagLibraryValidator > > (com.sun.faces.taglib.jsf_core.CoreValidator and > > jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of > > loader org.apache.tools.ant.AntClassLoader > > > > The header in JSP is > > <%@page contentType="text/html"%> > > <%@page pageEncoding="UTF-8"%> > > > > <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > > <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > > > > <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > > > > regards > > Meex > > Are you sure you haven’t included something from Tomcat v10? > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- *Markus Reich* Waldweg 62 6393 St. Ulrich am Pillersee reich.mar...@gmail.com
RE: Are Apache versions cumulative ?
Thank you so much, Mark. Much appreciated. -Original Message- From: Mark Thomas Sent: Wednesday, 22 June 2022 7:00 PM To: Tomcat Users List Subject: Re: Are Apache versions cumulative ? On 22/06/2022 09:20, Jason Tan wrote: > Hi there, > Sorry to trouble you folks but I could not find on Google any proof/info that > state Apache Tomcat fixes are cumulative. > I have a customer asking me if fixes listed in > https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109 > cumulative ? E.g. Cumulative as meaning fixes in Tomcat 7.0.100 are also > present in Tomcat 7.0.109. > My guts tell me it's cumulative but I need some sort of proof for my customer. Yes. Within a major version we don't patch older releases, we only produce new releases. Tomcat major.minor.x contains all the fixes in major.minor.(x-1) Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)
> On Jun 22, 2022, at 11:36 PM, Markus Reich wrote: > > Hi, > > I'm trying to precompile a JSF application, I follow the instructions on > https://tomcat.apache.org/tomcat-9.0-doc/graal.html. > > I got a lot of errors like > Caused by: java.lang.ClassCastException: class > com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class > jakarta.servlet.jsp.tagext.TagLibraryValidator > (com.sun.faces.taglib.jsf_core.CoreValidator and > jakarta.servlet.jsp.tagext.TagLibraryValidator are in unnamed module of > loader org.apache.tools.ant.AntClassLoader > > The header in JSP is > <%@page contentType="text/html"%> > <%@page pageEncoding="UTF-8"%> > > <%@taglib prefix="f" uri="http://java.sun.com/jsf/core"%> > <%@taglib prefix="h" uri="http://java.sun.com/jsf/html"%> > > <%@taglib prefix="t" uri="/WEB-INF/eclnt"%> > > regards > Meex Are you sure you haven’t included something from Tomcat v10? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org