date:20240710

Re: Apache Tomcat Default Files - TEN-12085

2024-07-10 Thread Michael Osipov

He's a contractor, what do you expect? At best someone logs in via SSH and 
solves the problem for him.

On 2024/07/08 19:58:42 Chuck Caldarale wrote:
> 
> > On Jul 8, 2024, at 14:54, Pramod Kumar Adhi 
> >  wrote:
> > 
> > We are using tomcat version 9.87 can you guide on the same.
> 
> 
> Seriously? You can’t find the 9.0.x documentation on the Tomcat web site 
> yourself? Ok…
> 
> https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
> 
>   - Chuck
> 
> 
> 
> > From: Chuck Caldarale mailto:n82...@gmail.com>>
> > Sent: Tuesday, July 9, 2024 12:31 AM
> > To: Tomcat Users List  > >
> > Subject: Re: Apache Tomcat Default Files - TEN-12085
> >  
> > [External Email]
> > 
> > 
> > > On Jul 8, 2024, at 13:56, Pramod Kumar Adhi 
> > >  > > > wrote:
> > > 
> > > We have one vulnerability related to the TEN-12085.Could you please 
> > > advise on the below on how can we remediate this vulnerability.
> > > 
> > > Vulnerability Description
> > > 
> > > The server is not configured to return a custom page in the event of a 
> > > client requesting a non-existent resource.
> > > This may result in a potential disclosure of sensitive information about 
> > > the server to attackers.
> > > 
> > > Vulnerability Summary
> > > 
> > > The default error page, default index page, example JSPs and/or example 
> > > servlets are installed on the remote Apache Tomcat server. These files 
> > > should be removed as they may help an attacker uncover information about 
> > > the remote Tomcat install or host itself.
> > > 
> > > Vulnerability Threat
> > > The remote web server contains default files.
> > > Vulnerability Remediation notes
> > > Delete the default index page and remove the example JSP and servlets. 
> > > Follow the Tomcat or OWASP instructions to replace or modify the default 
> > > error page.
> > 
> > 
> > The above is fairly explicit about what to do to resolve this so-called 
> > “vulnerability”. Just follow the instructions that the test gave you.
> > 
> > For an even more explicit description, read this (which you should have 
> > already done):
> > 
> > https://tomcat.apache.org/tomcat-10.1-doc/security-howto.html
> > 
> > - Chuck
> > 
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reg: tomcat CPU spikes

2024-07-10 Thread Jalaj Asher

Hello,
We are using tomcat version 9.0.80.

We are seeing intermittent CPU spikes with the requests  having the following 
stack and it is also causing disk spikes on our end because of this call stack .

at java.util.zip.ZipFile.getEntry(Native Method)
at java.util.zip.ZipFile.getEntry(ZipFile.java:328)
- locked <0xbb4fbf08> (a java.util.jar.JarFile)
at java.util.jar.JarFile.getEntry(JarFile.java:253)
at java.util.jar.JarFile.getJarEntry(JarFile.java:236)
at 
org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)
at 
org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)
at 
org.apache.catalina.webresources.StandardRoot.getResourcesInternal(StandardRoot.java:316)
at 
org.apache.catalina.webresources.StandardRoot.getResources(StandardRoot.java:307)
at 
org.apache.catalina.webresources.StandardRoot.getClassLoaderResources(StandardRoot.java:226)
at 
org.apache.catalina.loader.WebappClassLoaderBase.findResources(WebappClassLoaderBase.java:1009)
at 
org.apache.catalina.loader.WebappClassLoaderBase.getResources(WebappClassLoaderBase.java:1110)
at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:348)
at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:393)
at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
at javax.xml.parsers.FactoryFinder$1.run(FactoryFinder.java:293)
at java.security.AccessController.doPrivileged(Native Method)

these are the runnable threads.

Wanted to get some understanding to see when does tomcat access the 
archiveresourceset and why is it calling getjarentry and zip file entry and any 
suggestions to address this issue ?

Would appreciate any help with this review.

Regards

Jalaj

CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential 
information belonging to the sender that is legally privileged and proprietary 
and may be subject to protection under the law, including the Health Insurance 
Portability and Accountability Act (HIPAA). If you are not the intended 
recipient of this e-mail, you are prohibited from sharing, copying, or 
otherwise using or disclosing its contents. If you have received this e-mail in 
error, please notify the sender immediately by reply e-mail and permanently 
delete this e-mail and any attachments without reading, forwarding or saving 
them. Thank you.

RE: Reg: tomcat CPU spikes

2024-07-10 Thread Jalaj Asher

Sharing another stack to see if this can give any more insights.this thread is 
the tomcat main thread was loading about 65MB of data.

"main" #1 prio=5 os_prio=0
   java.lang.Thread.State: RUNNABLE
  at java.util.zip.ZipFile.getEntry(Native Method)
  at java.util.zip.ZipFile.getEntry(ZipFile.java:328)
  - locked <0xa1b04418> (a java.util.jar.JarFile)
  at java.util.jar.JarFile.getEntry(JarFile.java:253)
  at java.util.jar.JarFile.getJarEntry(JarFile.java:236)
  at 
org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)
  at 
org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)
  at 
org.apache.catalina.webresources.StandardRoot.getResourceInternal(StandardRoot.java:272)
  at 
org.apache.catalina.webresources.StandardRoot.getResource(StandardRoot.java:213)
  at 
org.apache.catalina.webresources.StandardRoot.getClassLoaderResource(StandardRoot.java:220)
  at 
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2348)
  at 
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:875)
  at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1376)
  - locked <0xf24fc728> (a java.lang.Object)
  at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1220)
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:348)
  at com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:67)
  at 
com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:110)
  at 
com.sun.beans.finder.InstanceFinder.instantiate(InstanceFinder.java:93)
  at 
com.sun.beans.finder.InstanceFinder.find(InstanceFinder.java:66)
  at 
java.beans.Introspector.findExplicitBeanInfo(Introspector.java:448)
  at java.beans.Introspector.(Introspector.java:398)
  at java.beans.Introspector.getBeanInfo(Introspector.java:173)
  at 
org.springframework.beans.CachedIntrospectionResults.getBeanInfo(CachedIntrospectionResults.java:255)


Regards

Jalaj

From: Jalaj Asher
Sent: Wednesday, July 10, 2024 4:19 PM
To: users@tomcat.apache.org
Subject: Reg: tomcat CPU spikes

Hello,
We are using tomcat version 9.0.80.

We are seeing intermittent CPU spikes with the requests  having the following 
stack and it is also causing disk spikes on our end because of this call stack .

at java.util.zip.ZipFile.getEntry(Native Method)
at java.util.zip.ZipFile.getEntry(ZipFile.java:328)
- locked <0xbb4fbf08> (a java.util.jar.JarFile)
at java.util.jar.JarFile.getEntry(JarFile.java:253)
at java.util.jar.JarFile.getJarEntry(JarFile.java:236)
at 
org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)
at 
org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)
at 
org.apache.catalina.webresources.StandardRoot.getResourcesInternal(StandardRoot.java:316)
at 
org.apache.catalina.webresources.StandardRoot.getResources(StandardRoot.java:307)
at 
org.apache.catalina.webresources.StandardRoot.getClassLoaderResources(StandardRoot.java:226)
at 
org.apache.catalina.loader.WebappClassLoaderBase.findResources(WebappClassLoaderBase.java:1009)
at 
org.apache.catalina.loader.WebappClassLoaderBase.getResources(WebappClassLoaderBase.java:1110)
at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:348)
at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:393)
at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
at javax.xml.parsers.FactoryFinder$1.run(FactoryFinder.java:293)
at java.security.AccessController.doPrivileged(Native Method)

these are the runnable threads.

Wanted to get some understanding to see when does tomcat access the 
archiveresourceset and why is it calling getjarentry and zip file entry and any 
suggestions to address this issue ?

Would appreciate any help with this review.

Regards

Jalaj

CONFIDENTIALITY NOTICE TO RECIPIENT: This transmission contains confidential 
information belonging to the sender that is legally privileged and proprietary 
and may be subject to protection under the law, including the Health Insurance 
Portability and Accountability Act (HIPAA). If you are not the intended 
recipient of this e-mail, you are prohibited from sharing, copying, or 
otherwise using or disclosing its contents. If you have received this e-mail in 
error, please notify the sender immediately by reply e-mail and permanently 
delete this e-mail and any attachments without reading, forwarding or saving 
them. Tha

Re: Reg: tomcat CPU spikes

2024-07-10 Thread Chuck Caldarale


> On Jul 10, 2024, at 15:19, Jalaj Asher 
>  wrote:
> 
> We are using tomcat version 9.0.80.
> 
> We are seeing intermittent CPU spikes with the requests  having the following 
> stack and it is also causing disk spikes on our end because of this call 
> stack .
> 
> at java.util.zip.ZipFile.getEntry(Native Method)
> at java.util.zip.ZipFile.getEntry(ZipFile.java:328)
> - locked <0xbb4fbf08> (a java.util.jar.JarFile)
> at java.util.jar.JarFile.getEntry(JarFile.java:253)
> at java.util.jar.JarFile.getJarEntry(JarFile.java:236)
> at 
> org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)
> at 
> org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)
> at 
> org.apache.catalina.webresources.StandardRoot.getResourcesInternal(StandardRoot.java:316)
> at 
> org.apache.catalina.webresources.StandardRoot.getResources(StandardRoot.java:307)
> at 
> org.apache.catalina.webresources.StandardRoot.getClassLoaderResources(StandardRoot.java:226)
> at 
> org.apache.catalina.loader.WebappClassLoaderBase.findResources(WebappClassLoaderBase.java:1009)
> at 
> org.apache.catalina.loader.WebappClassLoaderBase.getResources(WebappClassLoaderBase.java:1110)
> at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:348)
> at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:393)
> at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
> at javax.xml.parsers.FactoryFinder$1.run(FactoryFinder.java:293)
> at java.security.AccessController.doPrivileged(Native Method)
> 
> these are the runnable threads.
> 
> Wanted to get some understanding to see when does tomcat access the 
> archiveresourceset and why is it calling getjarentry and zip file entry and 
> any suggestions to address this issue ?


Is unpackWARs set to false in the  element, or is unpackWAR false in the 
 element for the webapp(s)?

Have you disabled resource caching for the webapp(s)? Look at any  
element inside a  for the cachingAllowed and related attributes.

There’s a somewhat long discussion on this topic starting here:
https://marc.info/?l=tomcat-user&m=169909563517770&w=2

  - Chuck

RE: Reg: tomcat CPU spikes

2024-07-10 Thread Gregg, John E.

I don’t know about your most recent stack trace, but the first one had this 
frame:


at javax.xml.parsers.FactoryFinder$1.run(FactoryFinder.java:293)

What’s the rest of the stack trace?  I suspect you’re recreating a SAX parser 
or parser factory over and over.  The intent of those factories is that you 
initialize them once and reuse them.  Recreate the document builder, 
transformer, parser, etc as necessary, but don’t recreate the factory.  The 
java service loader is very expensive.  If you’re doing it dozens or hundreds 
of times a second, that can definitely chew up your CPU.

Thanks


From: Jalaj Asher 
Sent: Wednesday, July 10, 2024 5:02 PM
To: users@tomcat.apache.org
Subject: RE: Reg: tomcat CPU spikes

Sharing another stack to see if this can give any more insights. this thread is 
the tomcat main thread was loading about 65MB of data. "main" #1 prio=5 
os_prio=0 java. lang. Thread. State: RUNNABLE at java. util. zip. ZipFile. 
getEntry(Native Method)


Sharing another stack to see if this can give any more insights.this thread is 
the tomcat main thread was loading about 65MB of data.



"main" #1 prio=5 os_prio=0

   java.lang.Thread.State: RUNNABLE

  at java.util.zip.ZipFile.getEntry(Native Method)

  at java.util.zip.ZipFile.getEntry(ZipFile.java:328)

  - locked <0xa1b04418> (a java.util.jar.JarFile)

  at java.util.jar.JarFile.getEntry(JarFile.java:253)

  at java.util.jar.JarFile.getJarEntry(JarFile.java:236)

  at 
org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)

  at 
org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)

  at 
org.apache.catalina.webresources.StandardRoot.getResourceInternal(StandardRoot.java:272)

  at 
org.apache.catalina.webresources.StandardRoot.getResource(StandardRoot.java:213)

  at 
org.apache.catalina.webresources.StandardRoot.getClassLoaderResource(StandardRoot.java:220)

  at 
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2348)

  at 
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:875)

  at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1376)

  - locked <0xf24fc728> (a java.lang.Object)

  at 
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1220)

  at java.lang.Class.forName0(Native Method)

  at java.lang.Class.forName(Class.java:348)

  at com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:67)

  at 
com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:110)

  at 
com.sun.beans.finder.InstanceFinder.instantiate(InstanceFinder.java:93)

  at 
com.sun.beans.finder.InstanceFinder.find(InstanceFinder.java:66)

  at 
java.beans.Introspector.findExplicitBeanInfo(Introspector.java:448)

  at java.beans.Introspector.(Introspector.java:398)

  at java.beans.Introspector.getBeanInfo(Introspector.java:173)

  at 
org.springframework.beans.CachedIntrospectionResults.getBeanInfo(CachedIntrospectionResults.java:255)





Regards



Jalaj



From: Jalaj Asher

Sent: Wednesday, July 10, 2024 4:19 PM

To: users@tomcat.apache.org

Subject: Reg: tomcat CPU spikes



Hello,

We are using tomcat version 9.0.80.



We are seeing intermittent CPU spikes with the requests  having the following 
stack and it is also causing disk spikes on our end because of this call stack .



at java.util.zip.ZipFile.getEntry(Native Method)

at java.util.zip.ZipFile.getEntry(ZipFile.java:328)

- locked <0xbb4fbf08> (a java.util.jar.JarFile)

at java.util.jar.JarFile.getEntry(JarFile.java:253)

at java.util.jar.JarFile.getJarEntry(JarFile.java:236)

at 
org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)

at 
org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)

at 
org.apache.catalina.webresources.StandardRoot.getResourcesInternal(StandardRoot.java:316)

at 
org.apache.catalina.webresources.StandardRoot.getResources(StandardRoot.java:307)

at 
org.apache.catalina.webresources.StandardRoot.getClassLoaderResources(StandardRoot.java:226)

at 
org.apache.catalina.loader.WebappClassLoaderBase.findResources(WebappClassLoaderBase.java:1009)

at 
org.apache.catalina.loader.WebappClassLoaderBase.getResources(WebappClassLoaderBase.java:1110)

at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:348)

at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:393)

at java.util.ServiceLoader$

Re: Reg: tomcat CPU spikes

2024-07-10 Thread Chuck Caldarale



> On Jul 10, 2024, at 17:02, Jalaj Asher 
>  wrote:
> 
> Sharing another stack to see if this can give any more insights.this thread 
> is the tomcat main thread was loading about 65MB of data.
> 
> "main" #1 prio=5 os_prio=0
>   java.lang.Thread.State: RUNNABLE
>  at java.util.zip.ZipFile.getEntry(Native Method)
>  at java.util.zip.ZipFile.getEntry(ZipFile.java:328)
>  - locked <0xa1b04418> (a java.util.jar.JarFile)
>  at java.util.jar.JarFile.getEntry(JarFile.java:253)
>  at java.util.jar.JarFile.getJarEntry(JarFile.java:236)
>  at 
> org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97)
>  at 
> org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:249)
>  at 
> org.apache.catalina.webresources.StandardRoot.getResourceInternal(StandardRoot.java:272)
>  at 
> org.apache.catalina.webresources.StandardRoot.getResource(StandardRoot.java:213)
>  at 
> org.apache.catalina.webresources.StandardRoot.getClassLoaderResource(StandardRoot.java:220)
>  at 
> org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2348)
>  at 
> org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:875)
>  at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1376)
>  - locked <0xf24fc728> (a java.lang.Object)
>  at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1220)
>  at java.lang.Class.forName0(Native Method)
>  at java.lang.Class.forName(Class.java:348)
>  at 
> com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:67)
>  at 
> com.sun.beans.finder.ClassFinder.findClass(ClassFinder.java:110)
>  at 
> com.sun.beans.finder.InstanceFinder.instantiate(InstanceFinder.java:93)
>  at 
> com.sun.beans.finder.InstanceFinder.find(InstanceFinder.java:66)
>  at 
> java.beans.Introspector.findExplicitBeanInfo(Introspector.java:448)
>  at java.beans.Introspector.(Introspector.java:398)
>  at java.beans.Introspector.getBeanInfo(Introspector.java:173)
>  at 
> org.springframework.beans.CachedIntrospectionResults.getBeanInfo(CachedIntrospectionResults.java:255)


Is there some configuration setting in Spring that would disable caching? (I’m 
not really knowledgeable about Spring.)

There should be more in the stack trace that would show what’s triggering the 
getBeanInfo() calls. Tomcat won’t be doing the lookup unless something asks for 
it.

  - Chuck


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Tomcat Default Files - TEN-12085

Reg: tomcat CPU spikes

RE: Reg: tomcat CPU spikes

Re: Reg: tomcat CPU spikes

RE: Reg: tomcat CPU spikes

Re: Reg: tomcat CPU spikes

6 matches

Site Navigation

Mail list logo

Footer information