Tomcat Out of the Bag
You've gone through a fairly brutal process of selection and finally arrived at the lucky decision to use Tomcat in your web application. It's exciting. And you're not alone - over 60% of all web servers use some flavor of Apache Tomcat. What could possibly go wrong?
Actually, plenty. The first time I used Tomcat in anger was on a project that required sessions to be secure - or so I thought. My lack of understanding at the time caused me no end of heartache as I battled session fixation and session hijacking exploits. Let's explore some of the things that can go wrong, so you can be better prepared for your next Tomcat adventure.
The first hurdle is security. Apache Tomcat by default does not enable SSL encryption, which leaves your sessions vulnerable to attack. You'll need to do some additional configuration to enable SSL - not a huge deal, but something to be aware of.
Once you've tackled security, you'll want to take a look at performance. Out of the box, Tomcat is a bit on the slow side. You can improve performance by tweaking various settings, but it's definitely worth doing some performance benchmarking before going into production.
Tomcat is also known for its high memory usage, especially when compared to other Java web servers like Jetty or Undertow. If you're running on a small instance or have a tight budget, make sure you know what you're getting into before selecting Tomcat as your platform.
Finally, there are a few specific issues that can come up with Tomcat deployments: - Session fixation: An attacker can exploit unprotected sessions to gain access to your application - Session hijacking: An attacker can gain access to another user's session by stealing cookies - Arbitrary file uploads: Attackers can upload files to your server, which may include malicious code - Directory traversal: Attackers can access files and directories outside of the web root by exploiting vulnerabilities in your application
New Tomcat Release
The Apache Tomcat team has announced the release of Tomcat 9.0.0.
Tomcat 9.0.0 is a major release with a number of new features and enhancements, including:
-
HTTP/2 support - Tomcat now supports the latest HTTP/2 standard, enabling faster web applications through simultaneous requests and response compression.
-
Java Servlet 3.1 and JavaServer Pages (JSP) 2.3 support - Tomcat now supports the latest versions of the Java Servlet and JSP specifications, providing enhanced performance and security features.
-
Enhanced debugging capabilities - The new debug console provides granular insight into the inner workings of Tomcat, including detailed information on request processing, thread activity, and garbage collection.
-
Improved management capabilities - New status monitoring capabilities allow administrators to quickly identify any issues with their Tomcat installation, while expanded configuration options provide greater control over server settings.
Tomcat 9.0.0 is available for download from the Apache Software Foundation website [1]. For more information on the new features and enhancements in this release, please see the Apache Tomcat 9.0.0 Release Notes [2].
Tomcat 7 Released Today
The Apache Software Foundation (ASF) announced today the release of Tomcat 7, the latest version of the popular Java Servlet and Apache HTTP Server container technology.
Tomcat is freely available under the Apache License version 2.0 and is used by millions of web applications worldwide. According to the ASF, "Tomcat 7 is a significant improvement over Tomcat 6 and features more than 270 patches and bug fixes".
Highlights of the new release include:
-
Support for JavaServer Faces 2.0 and Bean Validation 1.0
-
Enhanced security features including support for SASL authentication, SSLv3 and TLS 1.2
-
Ability to run multiple concurrent versions of Tomcat on the same machine
-
50% reduction in memory usage when using the AJP connector
-
Numerous performance enhancements "We are very pleased to announce the availability of Tomcat 7," said Mark Thomas, tomcat committer. "This is a significant release that includes numerous improvements over Tomcat 6."
Apache Tomcat 6.0.41 Released
The Apache Software Foundation (ASF) announced today the immediate availability of Apache Tomcat 6.0.41
This release includes numerous enhancements and bug fixes, including:
Incorrect handling of cookies during FORM authentication has been corrected.
The Japanese ResourceBundle has been updated.
A potential denial-of-service vulnerability when using chunked encoding with comet has been fixed.
For more information, please see the Tomcat 6 changelog at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
Apache Tomcat Security Advisory
A security vulnerability has been identified in Apache Tomcat. CVE-2018-8014
Description: A flaw was found in the way Apache Tomcat parsed chunked input data. A remote attacker could use this flaw to perform a denial of service attack against a Tomcat server by sending specially crafted requests.
The version of Apache Tomcat included in Red Hat Enterprise Linux 6 is not affected by this issue.
This issue has been assigned the CVE identifier CVE-2018-8014.
కామెంట్లు లేవు:
కామెంట్ను పోస్ట్ చేయండి