The OpenLogic Technical Support Team fields lots of questions on Tomcat and over 500 other open source packages. They’ve distilled decades of experience and hundreds of Tomcat support issues down to the most common questions.
| General Questions | |
|---|---|
| How might the Tomcat vulnerabilities exposed in CVE-2005-2090 affect us? | First of all, the issues in CVE-2005-2090 have the potential to affect Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0).
This vulnerability potentially allows the unauthorized modification of HTTP requests by allowing remote attackers to corrupt the Web cache and bypass Web application firewall protection. This could allow cross site scripting attacks via HTTP requests with both a “Transfer-Encoding” and “Content-Length” header. In a practice known as “HTTP Request Smuggling,” Tomcat will then incorrectly handle and forward the body of the request when transmitting it to the receiving server, leading it to be processed as a separate HTTP request. Given that this vulnerability allows unauthorized modification of requests, it has been classified as a LOW risk. |
| What is the potential impact of CVE-2007-0450? | CVE-2007-0450 is a directory traversal vulnerability that potentially affects Apache HTTP and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10.
When using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), remote attackers can read files using arbitrary files via a .. (dot dot) sequence combined with combinations of the following characters, valid separators in Tomcat, but not Apache:
If exploited, this vulnerability allows the unauthorized disclosure of information, and is classified as LOW risk. |
| We’re having a problem stopping Tomcat processes when we run the “catalina.sh stop” script. | This common problem typically occurs when the JVM cannot exit the running thread and the thread hangs.
First identify the Tomcat process ID and then run “kill -9 [process id]” (where [process id] is replaced with the process id, including the square brackets). This triggers a thread dump. You can then use the thread dump to identify which thread is hanging. Fix the relevant code, or ignore the state of the JVM. |
| I’d like to create a mod_rewrite rule that redirects traffic to a different URL. | To do this, configure the mod_rewrite module in the configuration file to point to the desired URL: Old value: RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI)
New value: RewriteRule ^/$ CHEER/logon.jsp [r,nc] |
