• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat 9 vulnerability alerts

 
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello. I'm running some older servlets on Tomcat 9 and scans are showing several vulnerabilities. I read where some of these are resolved with point releases. Do you guys have a recommended approach? It seems if I go up in point release, something new will be identified (nature of security beast). Is Tomcat 10 able to run same servlets as all releases before it (my last upgrade was from Tomcat 5 to 9). Thank you very much.
 
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Moving to Tomcat 10 is not done lightly. Tomcat 9 is the final Oracle JEE version. Tomcat 10 uses Jakarta EE. That means that you have to change all the JEE package references from javax. to jakartax. and make sure that all of the libraries you use are Jakarta compatible.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's what I thought/feared. You think I should try to migrate up to the last Tomcat 9 point release or live with these alerts? It seems like the 9 point releases were resolving each alert, then another point release to resolve another. I  think the alerts will keep coming regardless.
 
Marshal
Posts: 28141
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It seems to me like, if the lifetime of these servlets is not going to end very soon, you need to move up to Tomcat 10 at some time. Like Tim says, that will be a bit of a project. It's not imperative to do that next week, but on the other hand those vulnerabilities are hanging over your head. It's impossible for me to know how important you consider those options.

It's certainly possible to postpone the Tomcat 10 update indefinitely and continue with the point updates. In the long term your setup will be more and more obsolete, but many thousands of project managers have made that choice.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yeah, I was thinking of trying 10 after reading about the deployment converter tool from javax to jakarta. Does that actually work with compiled wars? Looks like I can just put the wars in that legacy directory and they'll be deployed to webapps with jakarta. I think Im missing something. Then there's the external jars in the lib like ojdbc and domino, etc. which Tim mentioned. Not sure which of thse those have javax and wouldnt know what to do with them.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The migration may or may not involve much up-front work. While eventually you should move to the jakarta namespace, at least initially you can add the https://github.com/apache/tomcat-jakartaee-migration tool to your build process, and over time, step by step, adapt your code and any libraries. The tool works on jar files, not war files.

What may be more troublesome is that TC 10.1 requires Java 11, whereas TC 9 and 10.0 (which is obsolete) ran on Java 8. So you need to make your code Java 11 compliant (assuming you haven't done so already).

Of course, the issue with point release after point release does not go away by switching TC versions; see https://tomcat.apache.org/tomcat-10.1-doc/changelog.html. So you will find yourself upgrading to newer versions no matter which base version you're using.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yeah, i'm running Tomcat 9 with Java 11, somehow. i have to figure out what is happening here...

 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:What may be more troublesome is that TC 10.1 requires Java 11, whereas TC 9 and 10.0 (which is obsolete) ran on Java 8. So you need to make your code Java 11 compliant (assuming you haven't done so already).



From experience doing so, the main issues are that it will scream about the introspection mechanisms and possibly module violations. Most of the problems will probably actually not be in your own code but in the libraries your code employs.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello. The two web apps are full of javax import packages (javax.xml, javax.sql, javax.naming, javax.servlet...etc). I can't figure out how this stuff runs on Java 11 but found rt.jar in the lib. Is this basically allowing the runtime of javax regardless of the java version?
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The rt.jar file was part of older JVMs but has since been removed.
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Note: Not all "javax." packages moved to Jakarta. The javax packages indicate extensions to core Java made by Sun but not proprietary to Sun, so they include not only JEE stuff, but also stuff like standard XML functions.

Just to make more confusing, the "javax" packages may or may not have ever lived in the core JVM and in some cases have moved back and forth.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Man, what did they gain by changing the namespace after so many years? If rt.jar and I think servlet-api.jar from Tomcat 9 were put into the Tomcat 10 lib, and the apps deployed, could the javax stuff run if it finds the javax servlet classes in a  jar in the lib?
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The namespace was changed because namespaces have owners. Stuff I produce via my own organization are in the "com.mousetech" namespace. JEE is no longer owned by Oracle. They've completely offloaded it to the Jakarta (Apache) foundation. "com.jakarta" and "org.jakarta" are namespaces that Apache has historically used for their own JEE projects, so when the ownership of JEE itself changed, they changed the package paths to correspond.

Oracle owns both the "java" and "javax" namespaces (as well as "com.sun"). As I mentioned before, though, there are also non-JEE items in the javax namespace, so Oracle couldn't just hand it over to Jakarta. Thus the uproar.
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thomas Griffith wrote:If rt.jar and I think servlet-api.jar from Tomcat 9 were put into the Tomcat 10 lib, and the apps deployed, could the javax stuff run if it finds the javax servlet classes in a  jar in the lib?



It would be a total train wreck. You'd have conflicts between the two sets of classes, and the javax API wouldn't even match up with the actual jakarta implementations. The stuff in rt.jar moved to other places, so you'd have a real mess there.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Thomas Griffith wrote:If rt.jar and I think servlet-api.jar from Tomcat 9 were put into the Tomcat 10 lib, and the apps deployed, could the javax stuff run if it finds the javax servlet classes in a  jar in the lib?


Do you not want to use the migration tool (which can be integrated into the build system, so you'd have to make no code or library changes)? If so, why not? That is the proper solution to this issue.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Do you not want to use the migration tool (which can be integrated into the build system, so you'd have to make no code or library changes)? If so, why not? That is the proper solution to this issue.



Hello. I upgraded to the latest 9.73. Had some adjustments, as usual, but now I was looking at the utility again (zip distribution, Windows). I downloaded, verified integrity, signatures, etc. But I can't find an example of using it with the command line. I also looked for an executable in the distribution but just see  migrate.sh in bin. I would think it would need a path environment variable set? Is there a command line example anywhere? Thanks again.
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think you might want to look at the documentation for that app:

https://github.com/apache/tomcat-jakartaee-migration

Look at the details under the section labeled "Migration".
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks so much, that is what I needed. I didn't scroll down to see the command line stuff before.

Now I want to uninstall earlier service. Now have two instances/services, Tomcat90 (old) and Tomcat97 (just installed/running). Do I need to specify the name when I run "service.bat uninstall" from Tomcat90's bin directory? Or does it know from where it's executing to remove that service?

Everything says just service.bat uninstall and I haven't seen any references to a service name but just want to make sure.

Oh, yeah, I also installed Tomcat 10 instance/service in test and used that converter tool. It seemed to have worked. Thanks everybody on that as well.
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello. Revisiting this and I've read numerous ways to remove the 90 Tomcat service and installation, for example...

1. service.bat remove <service_name>...then add/remove programs

2. service.bat uninstall from bin folder....presume add/remove programs after that

3. add/remove programs gets rid of service and entire Tomcat installation in one shot

4. C:// tomcat9 //DS//MyService (but I have two different point releases of Tomcat9, will the "tomcat9" mess with the latest?)

5. sc delete {your_service_name}

...etc...

is there a definitive way to do this? I've done this several years ago with the initial upgrade to 9 but can't remember what I did. thank you.
 
Tim Holloway
Saloon Keeper
Posts: 27719
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think that "service.bat" merely removes Tomcat from the system services inventory.

Your best bet would be to uninstall the MSI for the Tomcat service. It should (I hope!) take out the Tomcat service, remove the Tomcat software and purge any Registry entries. If it's like Linux uninstalls, however, it will probably leave the Tomcat data directories, so you'd have to delete them manually (this allows for a safe uninstall/reinstall recovery process).
 
Thomas Griffith
Ranch Hand
Posts: 192
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Oh, I don't see it in add/remove programs. What i must have done is unzipped the Tomcat on the server then ran service.bat install. I never installed Tomcat as a program.

Therefore, I am running...

service.bat remove <service_name>

and that took it out of services list and deleted  the folders/files via file explorer.
 
reply
    Bookmark Topic Watch Topic
  • New Topic