[ANN] Apache Tomcat 9.0.94 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.94. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.94 is a bugfix and feature release. The notable changes compared to 9.0.93 include: - If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onErrror() - An Exception being thrown during WebSocket message processing (e.g. in a method annotated with @onMessage) should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Hello, The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. I re-opened Services and was able to restart Apache Tomcat. I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. Thank you, Mike _ The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General
Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Michael, What is the error message when Tomcat doesn't start? We may also need to see relevant parts of all the log files in Tomcat's logs directory. Mark On 11/09/2024 14:13, Ferrick, Michael wrote: Hello, The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. I re-opened Services and was able to restart Apache Tomcat. I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. Thank you, Mike _ The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Hi Michael, you should be fine using a contemporary version of Java like JDK17 or JDK21. Ferrick, Michael wrote (at 2024-09-11 13:13 +): > Hello, > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I > am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers > (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) > from the Control Panel (It notified me that it would stop Tomcat) and I > installed jdk-8u421-windows-x64.exe in the default location of C:Program > Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software > Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error > message. The only thing the message meant to me is that Tomcat failed to > start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if > the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and > Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to > confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as > above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start > Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat > 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't > simply upgrade Apache Tomcat as there are just too many developers entrenched > in this version. > > Thank you, > Mike > > _ > The information contained in this email and any attachments have been > classified as limited access and/or privileged State Street > information/communication and is intended solely for the use of the named > addressee(s). If you are not an intended recipient or a person responsible > for delivery to an intended recipient, please notify the author and destroy > this email. Any unauthorized copying, disclosure, retention or distribution > of the material in this email is strictly forbidden. > Go green. Consider the environment before printing this email. > > > > Information Classification: General -- Mit freundlichem Gruß / With kind regards Holger Klawitter -- listen klawitter de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
> On Sep 11, 2024, at 08:13, Ferrick, Michael > wrote: > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I > am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers > (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) > from the Control Panel (It notified me that it would stop Tomcat) and I > installed jdk-8u421-windows-x64.exe in the default location of C:Program > Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software > Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error > message. The only thing the message meant to me is that Tomcat failed to > start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if > the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and > Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to > confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as > above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start > Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat > 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't > simply upgrade Apache Tomcat as there are just too many developers entrenched > in this version. Going back to Java 8 sounds like a really bad idea at this stage, but if you must, then try clearing out Tomcat’s temp and work directories first. There may be class files in there compiled with Java 9 that will not be usable on prior versions of the JVM. As others have stated, moving to a more recent supported JVM would be better, such as OpenJDK 21, which is an LTS version. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Max parameters limit
All, Does anyone know if there is a way to limit the number of HTTP parameters in a POST request but explicitly allow more parameters for, say, a small set of specific URLs? Asking for a friend. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Michael, On 9/11/24 09:13, Ferrick, Michael wrote: Hello, The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. I re-opened Services and was able to restart Apache Tomcat. I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. If you are using the Windows Service snap-in to start and stop Tomcat, then you likely need to update the service definition with the new path to Java. I don't think it auto-detects the Java version. Run the tomcat9w.exe application and you should get a properties dialog which allows you to inspect the Tomcat service. If you have multiple Tomcat services, you may need to run "tomcat9w.exe //ES/servicename" from the command-line to get the right one. In that properties dialog, you should be able to locate the path to Java and update it to match your newly-installed Java version. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jersey on Tomcat 10.1
It works with rs-api 4.0.0 Thanks for your help! jakarta.ws.rs-api 4.0.0 Am Di., 10. Sept. 2024 um 20:27 Uhr schrieb Thomas Meyer : > > Hi, > > Looks correct, see example from GitHub: > > https://github.com/eclipse-ee4j/jersey/blob/3.1/examples/servlet3-webapp/pom.xml > > But I assume that Jersey 3.1.x does implement jax-rs 3.1, so maybe that's the > reason it cannot find this class. > > Mfg > Thomas > > > Am 10. September 2024 20:07:07 MESZ schrieb "Jürgen Weber" > : > >Hi, > > > >I am looking for a working minimal Jersey on Tomcat 10.1 Maven based > >REST example. > >What I found all give ClassNotFoundExceptions. > > > >Anybody knows an example on github? > > > >Does Jersey even work on Tomcat? > > > >Thx > > > > > >java.lang.ClassNotFoundException: org.glassfish.jersey.client.ClientConfig > >java.lang.NoClassDefFoundError: jakarta/ws/rs/core/EntityPart > > > >org.glassfish.jersey > >jersey-bom > > > > > >jakarta.ws.rs > >jakarta.ws.rs-api > >3.0.0 > > > >org.glassfish.jersey.containers > >jersey-container-servlet > > > >org.glassfish.jersey.inject > >jersey-hk2 > > > >- > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >For additional commands, e-mail: users-h...@tomcat.apache.org > > > > -- > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Jersey on Tomcat 10.1
interestingly, if you do not specify rs-api, jersey-container-servlet:jar:3.1.8 pulls in ws.rs-api:jar:3.1.0 [INFO] +- org.glassfish.jersey.containers:jersey-container-servlet:jar:3.1.8:compile [INFO] | +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:3.1.8:compile [INFO] | | \- jakarta.inject:jakarta.inject-api:jar:2.0.1:compile [INFO] | +- org.glassfish.jersey.core:jersey-common:jar:3.1.8:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile [INFO] | | \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile [INFO] | +- org.glassfish.jersey.core:jersey-server:jar:3.1.8:compile [INFO] | | +- org.glassfish.jersey.core:jersey-client:jar:3.1.8:compile [INFO] | | \- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile [INFO] | \- jakarta.ws.rs:jakarta.ws.rs-api:jar:3.1.0:compile [INFO] \- org.glassfish.jersey.inject:jersey-hk2:jar:3.1.8:compile [INFO]+- org.glassfish.hk2:hk2-locator:jar:3.0.6:compile [INFO]| +- org.glassfish.hk2.external:aopalliance-repackaged:jar:3.0.6:compile [INFO]| +- org.glassfish.hk2:hk2-api:jar:3.0.6:compile [INFO]| \- org.glassfish.hk2:hk2-utils:jar:3.0.6:compile [INFO]\- org.javassist:javassist:jar:3.30.2-GA:compile Am Mi., 11. Sept. 2024 um 19:34 Uhr schrieb Jürgen Weber : > > It works with rs-api 4.0.0 > > Thanks for your help! > > jakarta.ws.rs-api > 4.0.0 > > Am Di., 10. Sept. 2024 um 20:27 Uhr schrieb Thomas Meyer : > > > > Hi, > > > > Looks correct, see example from GitHub: > > > > https://github.com/eclipse-ee4j/jersey/blob/3.1/examples/servlet3-webapp/pom.xml > > > > But I assume that Jersey 3.1.x does implement jax-rs 3.1, so maybe that's > > the reason it cannot find this class. > > > > Mfg > > Thomas > > > > > > Am 10. September 2024 20:07:07 MESZ schrieb "Jürgen Weber" > > : > > >Hi, > > > > > >I am looking for a working minimal Jersey on Tomcat 10.1 Maven based > > >REST example. > > >What I found all give ClassNotFoundExceptions. > > > > > >Anybody knows an example on github? > > > > > >Does Jersey even work on Tomcat? > > > > > >Thx > > > > > > > > >java.lang.ClassNotFoundException: org.glassfish.jersey.client.ClientConfig > > >java.lang.NoClassDefFoundError: jakarta/ws/rs/core/EntityPart > > > > > >org.glassfish.jersey > > >jersey-bom > > > > > > > > >jakarta.ws.rs > > >jakarta.ws.rs-api > > >3.0.0 > > > > > >org.glassfish.jersey.containers > > >jersey-container-servlet > > > > > >org.glassfish.jersey.inject > > >jersey-hk2 > > > > > >- > > >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > -- > > Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Thanks! I'll check into that. _ Michael Ferrick MBA AVP – Application Reliability Operations | Market Data & Trader Support | GM | GA | GT | Corp (He, Him, He’s) 1 Iron Street Boston, Massachusetts, 02210 USA +1 (617) 664-5842 mds_infrastruct...@ssga.com statestreet.com / State Street on LinkedIn The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General -Original Message- From: Christopher Schultz Sent: Wednesday, September 11, 2024 1:02 PM To: users@tomcat.apache.org Subject: Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat [You don't often get email from ch...@christopherschultz.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Michael, On 9/11/24 09:13, Ferrick, Michael wrote: > Hello, > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. If you are using the Windows Service snap-in to start and stop Tomcat, then you likely need to update the service definition with the new path to Java. I don't think it auto-detects the Java version. Run the tomcat9w.exe application and you should get a properties dialog which allows you to inspect the Tomcat service. If you have multiple Tomcat services, you may need to run "tomcat9w.exe //ES/servicename" from the command-line to get the right one. In that properties dialog, you should be able to locate the path to Java and update it to match your newly-installed Java version. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Max parameters limit
I'd guess the "easiest" way is to use the builtin Tomcat functionality for max for the smaller number. Then for the bigger number ... Use a servlet filter for the "special" urls that slurps the "input stream" and parses the parameters in application space. And use RequestWrapper to intercept getParameter() and provide your own parsed value. -Tim On Wed, Sep 11, 2024 at 12:31 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > All, > > Does anyone know if there is a way to limit the number of HTTP > parameters in a POST request but explicitly allow more parameters for, > say, a small set of specific URLs? > >
Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
Thank you! _ Michael Ferrick MBA AVP – Application Reliability Operations | Market Data & Trader Support | GM | GA | GT | Corp (He, Him, He’s) 1 Iron Street Boston, Massachusetts, 02210 USA +1 (617) 664-5842 mds_infrastruct...@ssga.com statestreet.com / State Street on LinkedIn The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General -Original Message- From: Chuck Caldarale Sent: Wednesday, September 11, 2024 9:48 AM To: Tomcat Users List Subject: Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat [You don't often get email from n82...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Sep 11, 2024, at 08:13, Ferrick, Michael wrote: > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. Going back to Java 8 sounds like a really bad idea at this stage, but if you must, then try clearing out Tomcat’s temp and work directories first. There may be class files in there compiled with Java 9 that will not be usable on prior versions of the JVM. As others have stated, moving to a more recent supported JVM would be better, such as OpenJDK 21, which is an LTS version. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat
I downloaded JDK17. Thank you. _ Michael Ferrick MBA AVP – Application Reliability Operations | Market Data & Trader Support | GM | GA | GT | Corp (He, Him, He’s) 1 Iron Street Boston, Massachusetts, 02210 USA +1 (617) 664-5842 mds_infrastruct...@ssga.com statestreet.com / State Street on LinkedIn The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General -Original Message- From: Holger Klawitter Sent: Wednesday, September 11, 2024 9:34 AM To: Tomcat Users List Subject: Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat [You don't often get email from info@klawitter.de. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi Michael, you should be fine using a contemporary version of Java like JDK17 or JDK21. Ferrick, Michael wrote (at 2024-09-11 13:13 +): > Hello, > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. > > Thank you, > Mike > > _ > The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. > Go green. Consider the environment before printing this email. > > > > Information Classification: General -- Mit freundlichem Gruß / With kind regards Holger Klawitter -- listen klawitter de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Max parameters limit
Hi, This sounds more like a security requirement. Such constraints are usually implemented in the frontend, i.e. the http reverse proxy with mod_security or an explicit web application firewall. Any chance to implement it in a similar way in your setup? Mfg Thomas Am 11. September 2024 18:31:01 MESZ schrieb Christopher Schultz : >All, > >Does anyone know if there is a way to limit the number of HTTP parameters in a >POST request but explicitly allow more parameters for, say, a small set of >specific URLs? > >Asking for a friend. > >-chris > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
