Re: oracle 12c driver (UNCLASSIFIED)

2018-06-20 Thread Maxim Solodovnik
We are currently using ojdbc6 in production
I would use ojdbc8 for new project (
http://www.oracle.com/technetwork/database/features/jdbc/jdbc-ucp-122-3110062.html
)

I believe the problem is caused by connection pool settings, not the driver


On Thu, Jun 21, 2018 at 2:38 AM Lueders, Paul T CIV USARMY NGIC (US) <
paul.t.lueders@mail.mil> wrote:

> CLASSIFICATION: UNCLASSIFIED
>
> We have configured an oracle 12c connection using the Oracle jdbc
> connector .  What we are experiencing is that the application is locking up
> and the database requires a restart.  We believe that the issue is that
> application  is not releasing the connections and the database runs out of
> connections.   The question I have is the JDBC driver the best one for
> oracle 12c?  If so what would be some configuration items that  we need to
> set in order to ensure that the application releases the connections
> efficiently.  Lastly is = there a monitor available to watch the database
> connections.
>
> Thanks a lot
> Paul
> CLASSIFICATION: UNCLASSIFIED
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
WBR
Maxim aka solomax


oracle 12c driver (UNCLASSIFIED)

2018-06-20 Thread Lueders, Paul T CIV USARMY NGIC (US)
CLASSIFICATION: UNCLASSIFIED

We have configured an oracle 12c connection using the Oracle jdbc connector .  
What we are experiencing is that the application is locking up and the database 
requires a restart.  We believe that the issue is that application  is not 
releasing the connections and the database runs out of connections.   The 
question I have is the JDBC driver the best one for oracle 12c?  If so what 
would be some configuration items that  we need to set in order to ensure that 
the application releases the connections efficiently.  Lastly is = there a 
monitor available to watch the database connections.

Thanks a lot
Paul
CLASSIFICATION: UNCLASSIFIED

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [EXTERNAL] Re: Configuring CORS filter

2018-06-20 Thread Bradley, Richard
Thank you Mark!  For the quick reply!  Yeah...Apache reports it as LOW and
they report as MEDIUM.  We have to mitigate all MEDIUM and HIGH
vulnerabilities.

Best regards,

Rick


On Wed, Jun 20, 2018 at 1:00 PM, Mark Thomas  wrote:

> On 20/06/18 18:16, Bradley, Richard wrote:
> > Hello,
> >
> > Tomcat version: 8.5.31
> > O/S: Windows Server 2008 R2
> >
> > McAfee vulnerability checker has reported a MEDIUM level vulnerability as
> > follows:
> >
> > Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
> > [FID 23621]
> >
> > Apache Software Foundation reports this in  annou...@tomcat.apache.org
> > :
> >
> > CVE-2018-8014 Insecure defaults for CORS filter
> >
> > and the only mitigation is to "Configure the filter appropriately for
> your
> > environment"
> >
> > My question is:
> >
> > What if you don't have a CORS filter configured anywhere in the Tomcat
> and
> > web apps associated web.xml files?
>
> You have nothing to worry about.
>
> Well, apart from the poor quality of your vulnerability scanner that
> looks like it is reporting a CORS issue without checking to see if CORS
> headers are being sent.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>


-- 
Richard M. Bradley (Rick)

*Geospatial Engineer*
BLM NOC EGIS
Sanborn Map Company, Inc.
Phone number: (303) 236-4538
rmbrad...@blm.gov




"Decide that you want it more than you're afraid of it.  Your greatest
dreams are all on the other side of the wall of fear and caution."

- Unknown

This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.


Re: Configuring CORS filter

2018-06-20 Thread Mark Thomas
On 20/06/18 18:16, Bradley, Richard wrote:
> Hello,
> 
> Tomcat version: 8.5.31
> O/S: Windows Server 2008 R2
> 
> McAfee vulnerability checker has reported a MEDIUM level vulnerability as
> follows:
> 
> Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
> [FID 23621]
> 
> Apache Software Foundation reports this in  annou...@tomcat.apache.org
> :
> 
> CVE-2018-8014 Insecure defaults for CORS filter
> 
> and the only mitigation is to "Configure the filter appropriately for your
> environment"
> 
> My question is:
> 
> What if you don't have a CORS filter configured anywhere in the Tomcat and
> web apps associated web.xml files?

You have nothing to worry about.

Well, apart from the poor quality of your vulnerability scanner that
looks like it is reporting a CORS issue without checking to see if CORS
headers are being sent.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Configuring CORS filter

2018-06-20 Thread Bradley, Richard
Hello,

Tomcat version: 8.5.31
O/S: Windows Server 2008 R2

McAfee vulnerability checker has reported a MEDIUM level vulnerability as
follows:

Vulnerability: CVE-2018-8014: Apache Tomcat Vulnerability Prior To 8.5.32
[FID 23621]

Apache Software Foundation reports this in  annou...@tomcat.apache.org
:

CVE-2018-8014 Insecure defaults for CORS filter

and the only mitigation is to "Configure the filter appropriately for your
environment"

My question is:

What if you don't have a CORS filter configured anywhere in the Tomcat and
web apps associated web.xml files?

It seems that if you explicitly configure a minimum filter specified in the
documentation

(https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter)

then you have to be concerned about the cors.support.credentials allowing
the default of "true".

Thanks,

Rick





-- 
Richard M. Bradley (Rick)

*Geospatial Engineer*
BLM NOC EGIS
Sanborn Map Company, Inc.
Phone number: (303) 236-4538
rmbrad...@blm.gov




"Decide that you want it more than you're afraid of it.  Your greatest
dreams are all on the other side of the wall of fear and caution."

- Unknown

This e-mail, including any attachments, contains information intended only
for the use of the individual or entity to which it is addressed and may
contain information that is privileged and/or confidential or is otherwise
protected by law. If you are not the intended recipient or agent or an
employee responsible for delivering the communication to the intended
recipient, you are hereby notified that any review, use, disclosure,
copying and/or distribution of its contents is prohibited. If you have
received this e-mail in error, please notify us immediately by reply to
sender only and destroy the original.


RE: mod_jk: Forwarding URLs containing escaped slashes (e.g. for REST services) fail with syntactical-wrong double-escaping

2018-06-20 Thread Jäkel , Guido
Dear Markus,

I'm not using Tomcat as backend here. And in addition, this will not help in 
case of syntactically wrong URL patterns like '%252F' produced by mod_jk.

thank you, anyway -- maybe emphasizing this option is useful for others here 
using Tomcat.

Guido

>-Original Message-
>From: i...@flyingfischer.ch [mailto:i...@flyingfischer.ch]
>Sent: Wednesday, June 20, 2018 12:52 PM
>To: users@tomcat.apache.org
>Subject: Re: mod_jk: Forwarding URLs containing escaped slashes (e.g. for REST 
>services) fail with syntactical-wrong double-
>escaping
>
>> Hi all,
>>
>> I have problems to pass (REST-) URLs containing escaped slashes ('%2F') in 
>> path elements using the  Apache httpd  and  mod_jk
>to the application server (in fact not Tomcat, but Wildfy. But this is of no 
>matter, here).
>>
>> This kind of URL may be accepted by the httpd using the option 
>> 'AllowEncodedSlashes=NoDecode'. But then, while using the mode
>'ForwardURIProxy' for mod_jk , they are re-encoded in a bad way: As '%252F', 
>because the percent sign itself is escaped by
>accident. The result is a syntactically bad URL which is rejected by the 
>application server.
>>
>> I already filed this last week as  
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=62459 . Please, may take some 
>> maintainer a
>look at this?
>>
>> with greetings
>>
>> Guido
>>
>
>You may want to create setenv.sh in CATALINA_HOME/bin with the following
>option:
>
>export
>JAVA_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
>
>
>Markus
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: mod_jk: Forwarding URLs containing escaped slashes (e.g. for REST services) fail with syntactical-wrong double-escaping

2018-06-20 Thread i...@flyingfischer.ch
> Hi all,
> 
> I have problems to pass (REST-) URLs containing escaped slashes ('%2F') in 
> path elements using the  Apache httpd  and  mod_jk  to the application server 
> (in fact not Tomcat, but Wildfy. But this is of no matter, here).
> 
> This kind of URL may be accepted by the httpd using the option 
> 'AllowEncodedSlashes=NoDecode'. But then, while using the mode 
> 'ForwardURIProxy' for mod_jk , they are re-encoded in a bad way: As '%252F', 
> because the percent sign itself is escaped by accident. The result is a 
> syntactically bad URL which is rejected by the application server.
> 
> I already filed this last week as  
> https://bz.apache.org/bugzilla/show_bug.cgi?id=62459 . Please, may take some 
> maintainer a look at this?
> 
> with greetings
> 
> Guido
> 

You may want to create setenv.sh in CATALINA_HOME/bin with the following
option:

export
JAVA_OPTS="-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"


Markus

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



mod_jk: Forwarding URLs containing escaped slashes (e.g. for REST services) fail with syntactical-wrong double-escaping

2018-06-20 Thread Jäkel , Guido
Hi all,

I have problems to pass (REST-) URLs containing escaped slashes ('%2F') in path 
elements using the  Apache httpd  and  mod_jk  to the application server (in 
fact not Tomcat, but Wildfy. But this is of no matter, here).

This kind of URL may be accepted by the httpd using the option 
'AllowEncodedSlashes=NoDecode'. But then, while using the mode 
'ForwardURIProxy' for mod_jk , they are re-encoded in a bad way: As '%252F', 
because the percent sign itself is escaped by accident. The result is a 
syntactically bad URL which is rejected by the application server.

I already filed this last week as  
https://bz.apache.org/bugzilla/show_bug.cgi?id=62459 . Please, may take some 
maintainer a look at this?

with greetings

Guido


[ANN] Apache Tomcat Native 1.2.17 released

2018-06-20 Thread Jean-Frederic Clere
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.17 stable.

The key features of this release are:
- Windows binaries built with APR 1.6.3 and OpenSSL 1.0.2o.
- Fix Certificate verification using CRL.
- Arrange  OCSP response processing.

Note that users should now be using 1.2.x in preference to 1.1.x.

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/native-doc/miscellaneous/changelog.html

Downloads:
http://tomcat.apache.org/download-native.cgi

The Apache Tomcat Native Library provides portable API for features
not found in contemporary JDK's. It uses Apache Portable Runtime as
operating system abstraction layer and OpenSSL for SSL networking and
allows optimal performance in production environments.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org