Re: Vulnerability flagged in Nessus Scan

[FANG YAP]

Hi Martin,

Thank you for your email.

In my application's web.xml, there is already a default 
error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500
(../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp)

where as the tomcat web.xml defines the previous error page on exception.

Do I have to declare the same error code in the application's web.xml in
the tomcat web.xml?

Hi John,

Thank you for your reply.

In the tomcat server.xml, there is already a Valve tag like  under 

For your resolution is to include another valve tag below the access log
valve?

Regards with Thanks,

Fang

On Thu, 4 Jun 2020, 06:03 John Palmer,  wrote:

> As the concern is that an erro page will show the tomcat version/patch info
> AND a stacktrace,\
> I found the easier/better? solution to be adding . showReport="false"
> showServerInfo="false"
> to the Error Report Valve section at the bottom of server.xml (and addin or
> or uncommenting that valve section...):
>
>   showReport="false" showServerInfo="false" />
>
> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov 
> wrote:
>
> > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP  wrote:
> >
> > > Hello Martin,
> > >
> > > It is to say that I have to declare something like this in web.xml
> file?
> > >
> > > 
> > > java.lang.Exception
> > > /error.jsp
> > >
> >
> > Better use the error-code ones from the StackOverflow link I gave you.
> > Your approach will cover only error code 500 (for Exceptions, but not for
> > java.lang.Error) and won't cover NotFound (404) and the others.
> > I guess Nessus won't be totally happy with your approach.
> >
> >
> > >
> > > Regards with Thanks,
> > >
> > > Fang
> > >
> > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, 
> wrote:
> > >
> > > > Hi,
> > > >
> > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP  wrote:
> > > >
> > > > > Resend
> > > > >
> > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP,  wrote:
> > > > >
> > > > > > Hi Tomcat,
> > > > > >
> > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > > > >
> > > > > > Port: 8080
> > > > > > Plugin Text:
> > > > > > The server is not configured to return a custom page in the event
> > of
> > > a
> > > > > > client requesting a non-existent resource. This may result in a
> > > > potential
> > > > > > disclosure of sensitive information about the server to attacker.
> > > > > >
> > > > > > Apache Tomcat Version: 8.5.43
> > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> > > 1.8.0_251)
> > > > >
> > > >
> > > > To configure custom error pages and thus to suppress this issue you
> > can:
> > > > 1) use ErrorReportValve
> > > > <
> > > >
> > >
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > > > >
> > > >
> > > > 2) configure error-page elements in your application web.xml -
> > > > https://stackoverflow.com/a/7066536/497381
> > > >
> > > >
> > > > > >
> > > > > > Your assistance would be greatly appreciated
> > > > > >
> > > > > > Rgs,
> > > > > > Fang
> > > > > >
> > > > >
> > > >
> > >
> >
>

tomcat 9.0 doesn't load the ECDSA keystore. (ver # 9.0.24)

[Madhan Raj]

Hi All,

OS - CentOS 7.6.1810( Core)

Below connector doesn't load my EC keystore whereas it works with RSA . Any
insights please .

this is my connector tag  in server.xml






tomcat start up command used :-
 /home/tomcat/tomcat -user tomcat -home /usr/local/thirdparty/java/j2sdk
-pidfile /usr/local/thirdparty/jakarta-tomcat/conf/tomcat.pid -procname
/home/tomcat/tomcat -outfile
/usr/local/thirdparty/jakarta-tomcat/logs/catalina.out -errfile &1
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Djava.util.logging.config.file=/usr/local/thirdparty/jakarta-tomcat/conf/logging.properties
-agentlib:jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n
-XX:+UseParallelGC -XX:GCTimeRatio=99 -XX:MaxGCPauseMillis=80 -Xmx1824m
-Xms256m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-cp
/usr/local/thirdparty/jakarta-tomcat/bin/bootstrap.jar:/usr/local/thirdparty/jakarta-tomcat/bin/tomcat-juli.jar
-Djava.security.policy==/usr/local/thirdparty/jakarta-tomcat/conf/catalina.policy
-Dcatalina.base=/usr/local/thirdparty/jakarta-tomcat
-Dcatalina.home=/usr/local/thirdparty/jakarta-tomcat
-Djava.io.tmpdir=/usr/local/thirdparty/jakarta-tomcat/temp
org.apache.catalina.startup.Bootstrap start'

JAVA_OPTS= -Djava.library.path=$LD_LIBRARY_PATH
-Djavax.net.ssl.sessionCacheSize=1
 
-Djavax.net.ssl.trustStore=/usr/local/platform/.security/tomcat/trust-certs/tomcat-trust.keystore
-Djavax.net.ssl.trustStorePassword=$TRUST_STORE_PASSWORD
-XX:ErrorFile=$CATALINA_HOME/logs/diagnostic-info.jvm-crash.%p.tomcat.txt
-Dsun.zip.disableMemoryMapping=true
-XX:OnOutOfMemoryError=/home/tomcat/tomcat_diagnostics.sh
-XX:OnError=/home/tomcat/tomcat_diagnostics.sh $TOMCAT_JAVA_OPTS

Also can i have both RSA and ECDSA in a single keystore .Will that work in
tomcat 9  ? it used to work with tomat 7

Thanks,
Madhan

Re: Vulnerability flagged in Nessus Scan

[John Palmer]

As the concern is that an erro page will show the tomcat version/patch info
AND a stacktrace,\
I found the easier/better? solution to be adding . showReport="false"
showServerInfo="false"
to the Error Report Valve section at the bottom of server.xml (and addin or
or uncommenting that valve section...):

 

On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov  wrote:

> On Wed, Jun 3, 2020 at 11:14 AM FANG YAP  wrote:
>
> > Hello Martin,
> >
> > It is to say that I have to declare something like this in web.xml file?
> >
> > 
> > java.lang.Exception
> > /error.jsp
> >
>
> Better use the error-code ones from the StackOverflow link I gave you.
> Your approach will cover only error code 500 (for Exceptions, but not for
> java.lang.Error) and won't cover NotFound (404) and the others.
> I guess Nessus won't be totally happy with your approach.
>
>
> >
> > Regards with Thanks,
> >
> > Fang
> >
> > On Wed, 3 Jun 2020, 15:56 Martin Grigorov,  wrote:
> >
> > > Hi,
> > >
> > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP  wrote:
> > >
> > > > Resend
> > > >
> > > > On Wed, 3 Jun 2020, 10:10 FANG YAP,  wrote:
> > > >
> > > > > Hi Tomcat,
> > > > >
> > > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > > >
> > > > > Port: 8080
> > > > > Plugin Text:
> > > > > The server is not configured to return a custom page in the event
> of
> > a
> > > > > client requesting a non-existent resource. This may result in a
> > > potential
> > > > > disclosure of sensitive information about the server to attacker.
> > > > >
> > > > > Apache Tomcat Version: 8.5.43
> > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> > 1.8.0_251)
> > > >
> > >
> > > To configure custom error pages and thus to suppress this issue you
> can:
> > > 1) use ErrorReportValve
> > > <
> > >
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > > >
> > >
> > > 2) configure error-page elements in your application web.xml -
> > > https://stackoverflow.com/a/7066536/497381
> > >
> > >
> > > > >
> > > > > Your assistance would be greatly appreciated
> > > > >
> > > > > Rgs,
> > > > > Fang
> > > > >
> > > >
> > >
> >
>

Re: HTTP2 keepAliveTimeout changed from Infinite to 20 seconds (default)

[Rémy Maucherat]

Hi,

On Wed, Jun 3, 2020 at 4:35 PM Arshiya Shariff
 wrote:

> Hi Mark,
> The keepAliveTimeout for HTTP2 , in the later tomcat versions is set to a
> default value of 20 seconds and can be overridden .
> Is there a reason that the keepAliveTimeout has been changed from infinite
> to 20 seconds (default) . Were there any issues around this ?
>
> This is just for an information.
>

Please don't email developers directly.

Are you referring to this commit ?
https://github.com/apache/tomcat/commit/c16d9d810a1f64cd768ff33058936cf8907e3117

If so, then this is in 9.0.16+. HTTP/2 is a newer part of Tomcat and a
large component, so you'll have to be prepared to update relatively often
to pick up necessary fixes.

Rémy


>
> Thanks and Regards
> Arshiya Shariff
>

HTTP2 keepAliveTimeout changed from Infinite to 20 seconds (default)

[Arshiya Shariff]

Hi Mark,
The keepAliveTimeout for HTTP2 , in the later tomcat versions is set to a 
default value of 20 seconds and can be overridden .
Is there a reason that the keepAliveTimeout has been changed from infinite to 
20 seconds (default) . Were there any issues around this ?

This is just for an information.

Thanks and Regards
Arshiya Shariff

Re: Vulnerability flagged in Nessus Scan

[Martin Grigorov]

On Wed, Jun 3, 2020 at 11:14 AM FANG YAP  wrote:

> Hello Martin,
>
> It is to say that I have to declare something like this in web.xml file?
>
> 
> java.lang.Exception
> /error.jsp
>

Better use the error-code ones from the StackOverflow link I gave you.
Your approach will cover only error code 500 (for Exceptions, but not for
java.lang.Error) and won't cover NotFound (404) and the others.
I guess Nessus won't be totally happy with your approach.


>
> Regards with Thanks,
>
> Fang
>
> On Wed, 3 Jun 2020, 15:56 Martin Grigorov,  wrote:
>
> > Hi,
> >
> > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP  wrote:
> >
> > > Resend
> > >
> > > On Wed, 3 Jun 2020, 10:10 FANG YAP,  wrote:
> > >
> > > > Hi Tomcat,
> > > >
> > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > >
> > > > Port: 8080
> > > > Plugin Text:
> > > > The server is not configured to return a custom page in the event of
> a
> > > > client requesting a non-existent resource. This may result in a
> > potential
> > > > disclosure of sensitive information about the server to attacker.
> > > >
> > > > Apache Tomcat Version: 8.5.43
> > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> 1.8.0_251)
> > >
> >
> > To configure custom error pages and thus to suppress this issue you can:
> > 1) use ErrorReportValve
> > <
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > >
> >
> > 2) configure error-page elements in your application web.xml -
> > https://stackoverflow.com/a/7066536/497381
> >
> >
> > > >
> > > > Your assistance would be greatly appreciated
> > > >
> > > > Rgs,
> > > > Fang
> > > >
> > >
> >
>

Re: Vulnerability flagged in Nessus Scan

[FANG YAP]

Hello Martin,

It is to say that I have to declare something like this in web.xml file?


java.lang.Exception
/error.jsp

Regards with Thanks,

Fang

On Wed, 3 Jun 2020, 15:56 Martin Grigorov,  wrote:

> Hi,
>
> On Wed, Jun 3, 2020 at 5:53 AM FANG YAP  wrote:
>
> > Resend
> >
> > On Wed, 3 Jun 2020, 10:10 FANG YAP,  wrote:
> >
> > > Hi Tomcat,
> > >
> > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > >
> > > Port: 8080
> > > Plugin Text:
> > > The server is not configured to return a custom page in the event of a
> > > client requesting a non-existent resource. This may result in a
> potential
> > > disclosure of sensitive information about the server to attacker.
> > >
> > > Apache Tomcat Version: 8.5.43
> > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251)
> >
>
> To configure custom error pages and thus to suppress this issue you can:
> 1) use ErrorReportValve
> <
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> >
>
> 2) configure error-page elements in your application web.xml -
> https://stackoverflow.com/a/7066536/497381
>
>
> > >
> > > Your assistance would be greatly appreciated
> > >
> > > Rgs,
> > > Fang
> > >
> >
>

Re: Vulnerability flagged in Nessus Scan

[Martin Grigorov]

Hi,

On Wed, Jun 3, 2020 at 5:53 AM FANG YAP  wrote:

> Resend
>
> On Wed, 3 Jun 2020, 10:10 FANG YAP,  wrote:
>
> > Hi Tomcat,
> >
> > Nessus scanned and found issue in Apache Tomcat Port 8080
> >
> > Port: 8080
> > Plugin Text:
> > The server is not configured to return a custom page in the event of a
> > client requesting a non-existent resource. This may result in a potential
> > disclosure of sensitive information about the server to attacker.
> >
> > Apache Tomcat Version: 8.5.43
> > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251)
>

To configure custom error pages and thus to suppress this issue you can:
1) use ErrorReportValve


2) configure error-page elements in your application web.xml -
https://stackoverflow.com/a/7066536/497381


> >
> > Your assistance would be greatly appreciated
> >
> > Rgs,
> > Fang
> >
>

Re: mod_jk and application deployed check

[Giuseppe Sacco]

Il giorno ven, 29/05/2020 alle 14.09 -0400, Christopher Schultz ha
scritto:
> Giuseppe,
> 
> On 5/29/20 11:57, Giuseppe Sacco wrote:
> > [...]
> > misconfigured machines and failed with 404 errors. From what I
> > understood, the mod_jk protocol only allows to check it tomcat is
> > alive. Is it possibile to also check if an application is deployed
> > (giving a dedicated URL in the application context)? Thank
> > you,Giuseppe
> 
> One way to do this would be to create a ROOT context which returns
> something other than 404 for all requests. Maybe return 500 status
> for
> example.
> 
> If /myapp/ isn't deployed, the ROOT web application will respond with
> 500 and mod_jk will mark the node as degraded.

Thank you Cris, I am going to try this solution.

Bye,
Giuseppe


signature.asc
Description: This is a digitally signed message part