7 Replies Latest reply on Mar 25, 2008 1:50 PM by Miles Nakamura

    Exact Tomcat Version

    Frank Russo Newbie

      Does anyone know the exact tomcat version that is embedded in version 4.2.0 GA?

      I read in the docs that it's 6.0, but I'd like to know which 6.0.x it is exactly.


        • 1. Re: Exact Tomcat Version
          Jean-Frederic Clere Master

          It is based on jbossweb 2.0.x. based on TC 6.0.13

          • 2. Re: Exact Tomcat Version
            murthy g Newbie

            I am looking for tomcat6-service.jar. Or how can I integrate Tomcat6 with Jboss?


            • 3. Re: Exact Tomcat Version
              murthy g Newbie

              hopefully someone will tell me where to download tomcat6-service.jar if i give my reasons:
              a)tomcat 5.5.26 has clustering which to me means the session is shared among a cluster of tomcat servers
              b)i cannot move past Jboss 4.0.2 because of JSF reasons; basically my JSF app doesn't scale with subsequent versions of Jboss; also too lazy to fix the JSF code
              c) when i am done testing with tomcat5.5.26 i might consider using the Jboss clustering solution (which i don't understand well enough to implement).

              Any information is appreciated.

              • 4. Re: Exact Tomcat Version
                Miles Nakamura Newbie

                What version of Tomcat is JBOSS 4.2.2GA base on?

                The reason for my question is because some Security Vulnerabilities have been identified in Tomcat and we need to know if upgrading to a later version of JBOSS will fix our problem. Here is a description of the vulnerabilities:

                7.1 (U) Apache Tomcat 6.0.5 - 6.0.15 Information Disclosure Vulnerability: Apache reports that if an exception occurs during the processing of parameters, such as the client disconnecting, then it is possible the parameters submitted for the request will be incorrectly processed as part of a subsequent request. To exploit this vulnerability, an unauthenticated remote attacker would locate a site hosting a vulnerable version of the Adobe Tomcat application, then wait for an unsuspecting user to transmit data to the server. Once transmitted, the attacker would cause the user/client to disconnect during the transmission and initiate their own connection with the user's parameters as part of the attackers request. The successful exploitation of this vulnerability could allow a remote attacker access to sensitive information which could be used in later attacks.

                7.2 (U) Apache Tomcat Data Integrity Vulnerability: Apache reports several versions of Tomcat (5.5.11 - 5.5.25 and 6.0.0 - 6.0.15) do not properly handle an empty request to a SSL port using netcat when the native Apache Portable Runtime (APR) connector is used. The successful exploitation of this vulnerability could allow an unauthenticated remote attacker to trigger a handling of "a duplicate copy of one of the recent requests".

                7.3 (U) Apache Tomcat WebDAV Servlet Information Disclosure Vulnerability: Apache reports an information disclosure vulnerability associated with the WebDAV servlet in several Tomcat versions (4.0.0 - 4.0.6, 4.1.0, 5.0.0, 5.5.0 - 5.5.25, and 6.0.0 - 6.0.14). When the WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests specify an entity with a SYSTEM tag can result in the disclosure of information to the client issuing the request. To exploit this vulnerability, an authenticated remote attacker could gain access to a vulnerable webserver and could create a maliciously crafted HTTP WebDAV Lock request for a file that the attacker has permissions to access, as well as referencing another remote file. The WebDav 'Lock' function would process the attacker's request, making the remote file available to them.

                Note: An exploit code has been developed for this vulnerability which is publically available.

                7.4 (U) Apache Tomcat JULI Vulnerability: Apache reports that the default catalina.policy in the JULI logging component in several Tomcat versions (5.5.9 - 5.5.25 and 6.0.0 - 6.0.15) does not restrict certain permissions for web applications. To exploit this vulnerability, an unauthenticated local attacker would construct a maliciously crafted Java web application which could contain a malicious logging configuration which is designed to leverage this vulnerability. The attacker would then gain local, interactive access to a vulnerable webserver, and then install and execute the malicious application. The application would write the log files, using the permissions of the user running the server. The successful exploitation of this vulnerability could allow an attacker to modify logging configuration options and overwrite arbitrary files, as well as having access to sensitive information.

                Note: JULI is enabled by default in Tomcat 6.0, and supports per classloader configuration, in addition to the regular global java.util.logging configuration.

                7.5 (U) Apache Tomcat Session Hi-jacking Vulnerability: Apache reports that several versions of Tomcat do not properly handle (1) double quote (") characters, or (2) %5C (encoded backslash) sequences in a cookie value. To exploit this vulnerability, an unauthenticated remote attacker would need to locate a network-accessible instance of a server hosting a vulnerable application (6.0.0 - 6.0.14, 5.5.0 - 5.5.25, and 4.1.0 - 4.1.36). A maliciously crafted web page or URI would be created by the attacker, to include either or both of this conditions, and distribute this webpage/URI to an unsuspecting user. When the user views this webpage or follows this URI link, the user's server would note be able to properly handle the cookie data, and the user's information would be disclosed to the attacker which could enable the attacker to ultimately hijack the user's session.

                • 5. Re: Exact Tomcat Version
                  Luciano Avendano Newbie

                  Im also having the same problem. Does any one know if I can upgrade to Tomcat 5.5.25 with Jboss 4.0.3 SP1?

                  • 6. Re: Exact Tomcat Version
                    Luciano Avendano Newbie

                    I meant to say, upgrade to Tomcat 5.5.26.....