RE: tomcat ssl setup

2017-09-20 Thread John Ellis
The Dropbox link to the tomcat server.xml file is back in this email thread. John Ellis 405.285.2500 office      http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 3:47 PM To: users@tomcat.apache.org Subject:

[SECURITY] Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas
All, Following the announcement of CVE-2017-12615 [1], the Apache Tomcat Security Team has received multiple reports that a similar vulnerability exists in all current Tomcat versions and affects all operating systems. Unfortunately, one of these reports was made via the public bug tracker [2]

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-20 Thread Mark Thomas
On 19/09/17 14:10, Mark Thomas wrote: > On 19/09/17 14:00, André Warnier (tomcat) wrote: >> Hello. >> >> Did the issue below also affect the DAV application ? > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > The WebDAV servlet extends the Default servlet so they actually

Tomcat 7/8/9 context path restrictions/validation

2017-09-20 Thread Konstantin Ryadov
Hello! Could you explain context path (e.g. described on https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set in server.xml limitations? Does it exist any context path validation (unescaped symbols, whitespaces and so on)? Is first “/” always required in context path

Re: tomcat ssl setup

2017-09-20 Thread tomcat
On 20.09.2017 17:07, John Ellis wrote: All of what I have done so far has been in Tomcat version 9, which I downloaded from the Apache Tomcat website. The way I start tomcat is by running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin directory. I stop it by running the

RE: tomcat ssl setup

2017-09-20 Thread John Ellis
All of what I have done so far has been in Tomcat version 9, which I downloaded from the Apache Tomcat website. The way I start tomcat is by running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin directory. I stop it by running the command ./shutdown.sh from the same

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas
Update: We believe we have a set of patches [1],[2] that addresses this for 9.0.x. The plan is to give folks ~12 hours to review the proposed patches and then back-port the patches, tag and release. Further analysis has not identified any additional attack vectors or risks associated with this

Re: Tomcat 7/8/9 context path restrictions/validation

2017-09-20 Thread Guang Chao
On Wed, Sep 20, 2017 at 5:47 PM, Konstantin Ryadov wrote: > > Hello! > Could you explain context path (e.g. described on > https://tomcat.apache.org/tomcat-7.0-doc/config/context.html ) value set > in server.xml limitations? > Does it exist any context path validation

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas
Update: The issue has been confirmed. CVE-2017-12617 has been allocated. The issue is not limited to PUT requests. For the Default servlet, DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and COPY are believed to be affected. The RCE via JSP upload using PUT is still

Re: tomcat ssl setup

2017-09-20 Thread tomcat
On 20.09.2017 15:20, John Ellis wrote: Andre can you tell me which log file you are saying tells where the problem is? That's the one you uploaded to the dropbox : >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 I have of course no idea at this point, which tomcat or

RE: tomcat ssl setup

2017-09-20 Thread John Ellis
Andre can you tell me which log file you are saying tells where the problem is? I am not seeing it but I may not be even looking for the right thing. I did open the server.xml file up in an XML file editor program and it didn't give any errors. John Ellis 405.285.2500 office     

startStopThreads="0" and thread safety issues with SAXParser / Xerces

2017-09-20 Thread Torsten Krah
Hi, i've enabled startStopThreads="0" to increase bootstrap time of my servlet container using tomcat 8.5.15 and jdk 1.8.0_131-b11. Sometimes - not every time - i've got something like that when the entity manager factory is created from the context initialized callback: