RE: CVE-2023-28709 incomplete fix

Whether that is something which happened in the versions < 9.0.74 and now in the versions >= 9.0.74 is not the case anymore. -Original Message- From: Mark Thomas Sent: Wednesday, July 12, 2023 10:25 PM To: Tomcat Users List Subject: Re: CVE-2023-28709 incomplete fix 12 Jul 2023

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

Hey Mark, I found a workaround/fix. On the Tomcat Connector, instead of using protocol=HTTP/1.1, I changed it to protocol="org.apache.coyote.http11.Http11Nio2Protocol," I haven't had a single failure since. Not only that, but our application response times are noticeably faster. -- Thanks,

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

Well, the deeper I get into the problem, the more complicated it gets. I thought I was onto something, thinking the size of the JSON might have something to do with it, so I created a Python script to call curl POSTs with increasingly larger JSON thinking I would eventually hit some size limit,

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

Mark, I'm working on a test case. I've built a simple spring boot war with a rest API "jsonInput" that accepts any JSON and responds with {"message":"OK"}. What I've determined so far is that it only happens when you are proxying the request through Apache using mod_proxy_http2, and the size of

New Redis based SessionManager implementation: redex-sm

Hello Tomcat friends, We recently published to Maven Central (com.github.exabrial:redex-sm:1.0.2) a new Tomcat SessionManager that stores your serialized Sessions in Redis instance. Details and usage are available here: https://github.com/exabrial/redex-sm The advantage of using a SessionManager

RE: Tomcat 9.0.76 Memory leak with Java 17

Chris, Yes it is unintentional. Actually once we start it with the Windows service, and run through a few reports on the website, it stops in just ba few minutes. We will look at the java heap size settings. Regards, James Boggs -Original Message- From: Christopher Schultz Sent:

Re: Tomcat 9.0.76 Memory leak with Java 17

James, On 7/12/23 15:41, James Boggs wrote: Thanks for the input. I will forward the email to our developers to look at the heap size settings being different. We have a Windows service that is used to start/stop Tomcat. When this happens we find that the Windows service is no longer running.

Re: Update javax libs to Jakarta libs in Apache Taglibs.

Bharath, On 7/12/23 05:08, CHILUKA BHARATH wrote: The latest Apache Taglibs( https://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5) jar classes using javax.servlet.* packages. Do we have any information w.r.t supporting Jakarta when using this specific jar ? If not, is there any plan

Re: Tomcat returning faulty "empty" header

12 Jul 2023 14:28:40 Lasse Lindqvist : Hi. Every once in a while in automatic tests I see an error Caused by: org.apache.http.ProtocolException: Invalid header: :     at app//org.apache.http.impl.io.AbstractMessageParser.parseHeaders(AbstractMessageParser.java:230)     at

RE: Tomcat 9.0.76 Memory leak with Java 17

Thanks for the input. I will forward the email to our developers to look at the heap size settings being different. We have a Windows service that is used to start/stop Tomcat. When this happens we find that the Windows service is no longer running. Thanks, James Boggs -Original

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

12 Jul 2023 13:40:18 Dan McLaughlin : I can confirm that if I switch h2 to http, everything works as expected, change it back to h2 or h2c, and it breaks. That makes me think it is an h2 bug in Tomcat. Mark, Please let me know if the http2 logs weren't enough to tell you what's happening;

Re: Tomcat 9.0.76 Memory leak with Java 17

Michael, On 7/12/23 07:33, Michael Osipov wrote: On 2023/07/11 18:16:24 Christopher Schultz wrote: You should report all of the previous issues to Oracle against their ORDS version 22.1 and ask them to fix them. It's why you write those big, fat checks in the first place ;) This doesn't

Re: Tomcat 9.0.76 Memory leak with Java 17

Suvendu, On 7/12/23 07:11, Suvendu Sekhar Mondal wrote: On Tue, Jul 11, 2023 at 11:48 PM Christopher Schultz wrote: James, On 7/11/23 10:21, James Boggs wrote: We had a stable SSL enabled website with Apache Tomcat 9.0.73 on Windows Server 2012 o/s, Java 8, Oracle ORDS 21.4 and SSL. We

Re: CVE-2023-28709 incomplete fix

12 Jul 2023 13:23:32 Prodan, Andreea Adriana : Hello, In regard to CVE-2023-28709 we would like to know if the vulnerability caused by the incomplete fix, "If non-default HTTP connector settings were used such that the

RE: Tomcat returning faulty "empty" header

HI Team Could you please Provide steps for installion of tomcat 9.0 version. We are very new for it Thanks & Regards, _ PrabuGanesan Consultant|MS-Nordics capgemini India Pvt. Ltd. | Bangalore  Contact: +91 8526554535 Email: 

Tomcat returning faulty "empty" header

Hi. Every once in a while in automatic tests I see an error Caused by: org.apache.http.ProtocolException: Invalid header: : at app//org.apache.http.impl.io.AbstractMessageParser.parseHeaders(AbstractMessageParser.java:230) at

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

I can confirm that if I switch h2 to http, everything works as expected, change it back to h2 or h2c, and it breaks. Mark, Please let me know if the http2 logs weren't enough to tell you what's happening; if not, I'll work on creating a simple standalone reproduction using docker. -- Thanks,

Re: Tomcat 9.0.76 Memory leak with Java 17

On 2023/07/11 18:16:24 Christopher Schultz wrote: > You should report all of the previous issues to Oracle against their > ORDS version 22.1 and ask them to fix them. It's why you write those > big, fat checks in the first place ;) This doesn't really matter. I have reported a memory leak in

CVE-2023-28709 incomplete fix

Hello, In regard to CVE-2023-28709 we would like to know if the vulnerability caused by the incomplete fix, "If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string

Re: Tomcat 9.0.76 Memory leak with Java 17

Hi Chris, On Tue, Jul 11, 2023 at 11:48 PM Christopher Schultz wrote: > > James, > > On 7/11/23 10:21, James Boggs wrote: > > We had a stable SSL enabled website with Apache Tomcat 9.0.73 on Windows > > Server 2012 o/s, Java 8, Oracle ORDS 21.4 and SSL. > > > > We simultaneously upgraded to

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

Hi Mark, I already provided the output from org.apache.coyote.http2.level = FINE in the very first post to this thread. I didn't include everything because all the header information includes things I don't necessarily want to post publicly and because it would take a while for me to obfuscate.

Update javax libs to Jakarta libs in Apache Taglibs.

Hi Team, The latest Apache Taglibs( https://tomcat.apache.org/download-taglibs.cgi#Standard-1.2.5) jar classes using javax.servlet.* packages. Do we have any information w.r.t supporting Jakarta when using this specific jar ? If not, is there any plan to release new jars by migrating javax

Re: Angular -> Apache 2.4.57 -> Tomcat 10.1.10 over HTTP2

On 11/07/2023 19:10, Dan McLaughlin wrote: One other note, is I can switch to h2c, and it still fails, and a packet capture shows the entire JSON is delivered to Tomcat, and when I put the JSON from the packet inspection together (Packets 10199 --> 10208) and compare it to what the browser says

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

Hi Mario, That does look like a possible bug. I'll try and do a code review before the next release but from experience f you are able to figure out how to reproduce it that would help a lot. Thanks, Mark On 06/07/2023 15:19, ma...@datenwort.at.INVALID wrote: Hello! I guess I found a