Re: Tomcat silently shuts down after 10 minutes - SOLVED

[Christopher Schultz]

Bryan,

On 7/5/24 17:08, Bryan Buchanan wrote:

Thanks all for the replies.

Turns out I needed to execute my "C" program with a "nohup" i.e.

$ nohup /usr/local/bin/ManageTomcat START

Tomcat was only stopping after about 10 mins because that's when I logged out. 
Doh !

In the business app code I now execute the above and regular users can now 
start and stop Tomcat as needed. So far seems to be working out OK.


Flag I read the whole thread before replying.

This (nohup) is pretty standard for any service-type thing on UNIX-like 
systems.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Inquiry about CVE-2024-5535 Vulnerability in Tomcat 10.1.20 Version

[Christopher Schultz]

Peyton,

On 7/6/24 00:08, Zhong, Peyton wrote:

I am writing to inquire about the potential impact of the recently detected critical 
vulnerability: CVE-2024-5535 
(9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. According 
to Black Duck Binary Analysis (BDBA) scans, this vulnerability has been identified 
within the Tomcat 10.1.20 version. There are other detected vulnerabilities inside 
OpenSSL on Tomcat, such as CVE-2024-4603, CVE-2024-2511.

The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll

Given this disconcerting discovery, we are seeking clarification on how 
CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost importance 
for us to understand the implications of this vulnerability and to identify any 
available mitigations or patches to address this issue.

Your prompt attention to this matter is highly valued, and we would be grateful 
for any assistance or guidance you can provide to help us navigate this 
potential security concern.

Thank you for your time and consideration.


Official Tomcat distributions from ASF ship with a statically-linked 
OpenSSL DLL for Windows. Those DLLs come from the Tomcat-Native project. 
Each release of Tomcat Native includes the most-recent version of 
OpenSSL at the time of its release. Often, Tomcat Native releases are 
tied to important OpenSSL releases for this reason (convenience 
statically-linked binary for Windows).


You can upgrade (almost) any Tomcat installation with (almost) any newer 
version of Tomcat Native you wish. It would probably be better to simply 
upgrade Tomcat itself which will include the latest version of Tomcat 
Native at the time of release.


It seems there is a new OpenSSL release 3.0.14 while Tomcats and Tomcat 
Natives after ~Feb 2024 include OpenSSL 3.0.13.


If you are not using Windows, then you can safely remove this file. If 
you are not using TLS, you can most likely safely remove this file. If 
you are not using Tomcat Native, then you can safely remove 
tcnative-2.dll from your environment. If you are not sure if tcnative is 
being used in your environment, you should find someone who is sure.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Inquiry about CVE-2024-5535 Vulnerability in Tomcat 10.1.20 Version

[Mark Thomas]

On 06/07/2024 05:08, Zhong, Peyton wrote:

Dear Tomcat Community,

I am writing to inquire about the potential impact of the recently detected critical 
vulnerability: CVE-2024-5535 
(9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. According 
to Black Duck Binary Analysis (BDBA) scans, this vulnerability has been identified 
within the Tomcat 10.1.20 version. There are other detected vulnerabilities inside 
OpenSSL on Tomcat, such as CVE-2024-4603
The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll

Given this disconcerting discovery, we are seeking clarification on how 
CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost importance 
for us to understand the implications of this vulnerability and to identify any 
available mitigations or patches to address this issue.

Your prompt attention to this matter is highly valued, and we would be grateful 
for any assistance or guidance you can provide to help us navigate this 
potential security concern.

Thank you for your time and consideration.


Another illustration of why CVSS scores are a bad idea.

Did you read the description from the OpenSSL project for CVE-2024-5535? 
Its severity is low, not critical. If you did read the descrition, did 
you check the Tomcat Native source code to see if Tomcat uses the method 
in question?


Same questions for CVE-2024-4603.

For CVE-2024-4603 did you read the description from the OpenSSL project? 
Are you using an affected configuration? If yes, can you switch to one 
that isn't affected?


You have access to all the information you need to be able to answer 
your questions yourself. If it is important to you as you say it is then 
why are you asking us to do the work for you rather than doing it yourself?


There are no plans at present for a new Tomcat Native release to pick up 
an updated OpenSSL version for the Windows binaries. However, given that 
some valid/likely configurations are affected, it is probable that there 
will be a Tomcat Native release some time this month so it can be picked 
up for the August Tomcat releases.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org