Re: How can I fix deserialization vulnerability?

2016-03-11 Thread Rob Gansevles
Barry,

The deserialization-vulnerability for RMI endpoints in your webapp can be
mitigated using our library at https://github.com/Servoy/rmi-whitelist
Add it to the tomcat system library and classes like the
commons-collections can no longer be used in the serialisation attacks over
RMI.

Rob

2016-03-11 2:07 GMT+01:00 林慶龍 Barry Lin :

> Dears:
>
> These days, Everyone talks about the vulnerability in Tomcat, and we found
> that we had the same problem with “deserialization vulnerability”.
>
> How can I fix deserialization vulnerability in tomcat?
>
> Thanks for your help!
>
>
>
>
>
> Best regard,
>
> Barry Lin
>
> 鼎捷
> (鼎新電腦股份有限公司、鼎誠資訊股份有限公司、鼎捷軟件股份有限公司及鼎捷軟件越南有限公司)將善保管您的個人資料,並於合法取得之前提下善意使用,據此本公司僅在營運範圍內之目的與您聯繫,包含鼎捷主辦或協辦之行銷活動、客戶服務、供應商聯繫等,非經由本公司上開目的下之合法授權,所寄發之資訊並不代表本公司
> 。本電子郵件及附件所載訊息均為保密資訊,受合約保護或依法不得洩漏。其內容僅供指定收件人按限定範圍或特殊目的使用。未經授權者收到此資訊者均無權閱讀、
> 使用、
> 複製、洩漏或散佈。若您因為誤傳而收到本郵件或者非本郵件之指定收件人,煩請即刻回覆郵件或並永久刪除此郵件及其附件和銷毀所有複印件。倘若有前述情形或信件誤遞至您的信箱或有相關問題,請透過下列方式聯繫更正;mail:
> dsc...@digiwin.biz。謝謝您的合作!
>


Web-fragments when unpackWARs=false

2015-10-09 Thread Rob Gansevles
Hi,

I am trying to use web-fragments on tomcat8, but get an error and the
webapp does not start when i turn unpacking of wars off.

Is this a supported combination?

I can reproduce the error with a plain new tomcat8 install and a standard
example.

I am using a simple sample war to make sure the issue is not in my own code.

I used webfragment-javaee6-war-3.0.0.war, downloaded from Maven Central
http://search.maven.org/remotecontent?filepath=org/apache/geronimo/samples/javaee6/webfragment-javaee6-war/3.0.0/webfragment-javaee6-war-3.0.0.war

Deploying this war works fine, until i set unpackWARs="false" on localhost
in conf/server.xml

After restart get this error in the logs:

INFO: Deploying web application archive
/crypt/apache/tomcat/trunk/output/build/webapps/webfragment-javaee6-war-3.0.0.war
Oct 09, 2015 10:07:56 AM org.apache.catalina.startup.ContextConfig
processServletContainerInitializers
SEVERE: Failed to process JAR found at URL [/webfragment-javaee6-war-3.0.0]
for ServletContainerInitializers for context with name [{1}]
java.net.MalformedURLException: no !/ in spec
at java.net.URL.(URL.java:619)
at java.net.URL.(URL.java:482)
at java.net.URL.(URL.java:431)
at java.net.JarURLConnection.parseSpecs(JarURLConnection.java:179)
at java.net.JarURLConnection.(JarURLConnection.java:162)
at
sun.net.www.protocol.jar.JarURLConnection.(JarURLConnection.java:81)
at sun.net.www.protocol.jar.Handler.openConnection(Handler.java:41)
at java.net.URL.openConnection(URL.java:971)
at java.net.URL.openStream(URL.java:1037)
at
org.apache.catalina.startup.WebappServiceLoader.parseConfigFile(WebappServiceLoader.java:161)
at
org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:118)
at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1616)
at
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1128)
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:771)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:305)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5080)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:945)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1798)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException: no !/ in spec
at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:170)
at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:150)
at java.net.URL.(URL.java:614)
... 28 more


Is this a (known) bug, I could not find anything on it?

Is there a workaround (except for turning unpacking of wars on)?

Thanks in advance,

Rob


Re: Web-fragments when unpackWARs=false

2015-10-09 Thread Rob Gansevles
I submitted bug 58490.

Thanks,

Rob

On Fri, Oct 9, 2015 at 10:38 AM, Mark Thomas <ma...@apache.org> wrote:

> On 09/10/2015 09:33, Rob Gansevles wrote:
> > Hi,
> >
> > I am trying to use web-fragments on tomcat8, but get an error and the
> > webapp does not start when i turn unpacking of wars off.
> >
> > Is this a supported combination?
> >
> > I can reproduce the error with a plain new tomcat8 install and a standard
> > example.
> >
> > I am using a simple sample war to make sure the issue is not in my own
> code.
> >
> > I used webfragment-javaee6-war-3.0.0.war, downloaded from Maven Central
> >
> http://search.maven.org/remotecontent?filepath=org/apache/geronimo/samples/javaee6/webfragment-javaee6-war/3.0.0/webfragment-javaee6-war-3.0.0.war
> >
> > Deploying this war works fine, until i set unpackWARs="false" on
> localhost
> > in conf/server.xml
> >
> > After restart get this error in the logs:
> >
> > INFO: Deploying web application archive
> >
> /crypt/apache/tomcat/trunk/output/build/webapps/webfragment-javaee6-war-3.0.0.war
> > Oct 09, 2015 10:07:56 AM org.apache.catalina.startup.ContextConfig
> > processServletContainerInitializers
> > SEVERE: Failed to process JAR found at URL
> [/webfragment-javaee6-war-3.0.0]
> > for ServletContainerInitializers for context with name [{1}]
> > java.net.MalformedURLException: no !/ in spec
> > at java.net.URL.(URL.java:619)
> > at java.net.URL.(URL.java:482)
> > at java.net.URL.(URL.java:431)
> > at java.net.JarURLConnection.parseSpecs(JarURLConnection.java:179)
> > at java.net.JarURLConnection.(JarURLConnection.java:162)
> > at
> >
> sun.net.www.protocol.jar.JarURLConnection.(JarURLConnection.java:81)
> > at sun.net.www.protocol.jar.Handler.openConnection(Handler.java:41)
> > at java.net.URL.openConnection(URL.java:971)
> > at java.net.URL.openStream(URL.java:1037)
> > at
> >
> org.apache.catalina.startup.WebappServiceLoader.parseConfigFile(WebappServiceLoader.java:161)
> > at
> >
> org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:118)
> > at
> >
> org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1616)
> > at
> >
> org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1128)
> > at
> >
> org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:771)
> > at
> >
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:305)
> > at
> >
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
> > at
> >
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
> > at
> >
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5080)
> > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> > at
> >
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
> > at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
> > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
> > at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:945)
> > at
> >
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1798)
> > at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> > at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at java.lang.Thread.run(Thread.java:744)
> > Caused by: java.lang.NullPointerException: no !/ in spec
> > at sun.net.www.protocol.jar.Handler.parseAbsoluteSpec(Handler.java:170)
> > at sun.net.www.protocol.jar.Handler.parseURL(Handler.java:150)
> > at java.net.URL.(URL.java:614)
> > ... 28 more
> >
> >
> > Is this a (known) bug, I could not find anything on it?
>
> If that occurs with the last stable 8.0.x release (8.0.27) then it is a
> bug. Please open a Bugzilla issue for this.
>
> > Is there a workaround (except for turning unpacking of wars on)?
>
> If it is a bug then I don't expect that there will be any other workaround.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>