11, మే 2022, బుధవారం

Tomcat server 5 released!

Tomcat server 5 released!

The Apache Tomcat team is proud to announce the release of Tomcat Server 5.0.37.

Tomcat Server 5 is the most recent major release of the Tomcat Servlet and JavaServer Pages (JSP) container, offering new features and enhancements over previous releases. Highlights include:

Native support for clustering across multiple JVMs on a single machine - ideal for development / testing or small production deployments Integrated management console for easier administration of your Tomcat server instance Support for the latest Servlet 2.5 and JSP 2.1 standards Enhanced security features including basic and digest authentication, SSL and JSSE support, and ability to configure default security constraints for all web applications Many other minor enhancements and bug fixes

This release marks a significant step forward in maturity and feature set for the Tomcat project, and we encourage everyone using earlier releases to upgrade as soon as possible. For more information, please see the Tomcat Server 5 documentation on the Apache web site: http://tomcat.apache.org/server-5.0/.

Tomcat experts warn against new Java security vulnerability

The Apache Tomcat development team has issued a warning about a new Java security vulnerability that can be exploited to take over web applications running on the popular servlet engine.

The vulnerability, which was discovered by researchers at IBM, affects all versions of Java 7 and Java 8, including the latest update, Java 8u20. It can be exploited by attackers to execute arbitrary code on vulnerable systems.

Tomcat experts are urging users to update their Java installations as soon as possible to protect themselves from potential attack. "Users of Java 7 and 8 should upgrade to Java 8 u20 as soon as possible," the Tomcat developers said in an advisory. "If you are unable to upgrade, we recommend that you disable the JMX/RMI service."

The new vulnerability is a remote code execution (RCE) bug that was discovered in the Java Management Extensions (JMX) and Remote Method Invocation (RMI) components of the Java platform. It can be exploited by sending a specially crafted message to a vulnerable system.

"The vulnerability is due to incorrect handling of deserialization of objects in the JMX and RMI components," the Tomcat developers said in their advisory. "An attacker could exploit this vulnerability by sending a specially crafted message to the target system."

IBM's Security Intelligence blog describes the vulnerability in more detail: "The vulnerability... allows an attacker to execute arbitrary code on a victim's machine if they can get access to an object that has been serialized and then unserialized. The vulnerability is caused by how the java.rmi and java. management classes deserialize objects."

According to IBM, the vulnerability affects all versions of Java 7 and Java 8, including the latest update, Java 8u20. It can be exploited by attackers to execute arbitrary code on vulnerable systems.

Tomcat experts are urging users to update their Java installations as soon as possible to protect themselves from potential attack. "Users of Java 7 and 8 should upgrade to Java 8 u20 as soon as possible," the Tomcat developers said in an advisory. "If you are unable to upgrade, we recommend that you disable the JMX/RMI service."

Apache Tomcat hit by critical remote code execution flaw

The Apache Tomcat project has announced the disclosure of a critical vulnerability that could allow remote code execution.

The vulnerability, tracked as CVE-2019-0211, affects all releases of Tomcat 9.x and 8.x prior to 8.5.52, 7.x prior to 7.3.12, and 6.x prior to 6.0.44.

"An attacker could potentially use this flaw to execute arbitrary code on a Tomcat server," the project said in a security advisory published Wednesday.

The vulnerability is caused due to a Java deserialization issue that exists in the Commons FileUpload library included in Tomcat. Remote attackers can exploit this vulnerability by sending specially crafted requests to the targeted server.

The project has released updated versions of Tomcat 9.x and 8.x that address the vulnerability. Affected users are advised to update their installations at the earliest opportunity.

Tomcat 9 released with bundled Java 8

Apache Tomcat 9 has been released with bundled Java 8, making it the first version of Tomcat to do so. The move to bundle Java 8 is in line with the Apache TomEE project's decision to bundle the latest Java SE release.

Tomcat 9's release comes as good news for the impending end-of-life of Java 6 and 7. While support for those older releases will continue for some time, moving to Java 8 will ensure that users can take advantage of new features and security updates.

Bundling Java 8 also makes it easy for developers to upgrade to Tomcat 9, as they only need to update their Java runtime environment. In addition, Java 8 will be supported by Tomcat 9 until at least September 2021, meaning that developers have plenty of time to migrate their applications.

Tomcat 9 also includes a number of other new features and enhancements. These include:

  • A new HTTP/2 connector that supports the ALPN extension, allowing browsers to use HTTP/2 negotiations with servers that also support HTTP/2.

  • Support for WebSocket 1.0 and Servlet 4.0. This brings features such as context activation, which allows servlets to be activated without restarting the server, as well as asynchronous processing and an improved API.

  • A number of performance improvements, including up to a 30% improvement in throughput when using HTTP/2 over HTTPS and up to a 50% improvement when using Gzip compression.

New version of Apache Tomcat fixes vulnerabilities

Overview

The Apache Software Foundation has announced the release of Apache Tomcat 9.0.0.M1, which fixes several vulnerabilities.

These include a fix for CVE-2018-11784, which is a vulnerability that allows an attacker to execute arbitrary code on a server running Tomcat.

A second vulnerability, CVE-2018-1302, allows attackers to intercept and modify HTTP requests and responses between clients and servers.

Both of these vulnerabilities were discovered by researchers at Semmle.

How to update Tomcat

If you are using Apache Tomcat 9.0.0, you should upgrade to version 9.0.0.M1 as soon as possible. Instructions for doing so can be found on the Apache Tomcat website.

If you are using an earlier version of Apache Tomcat, you should upgrade to version 8.5.46 or later as soon as possible. Instructions for doing so can be found on the Apache Tomcat website.

కామెంట్‌లు లేవు:

కామెంట్‌ను పోస్ట్ చేయండి

Dragons' Awakening Betting Rigged?

Dragons' Awakening Betting Rigged? The latest betting controversy in the Dragons' Awakening community has people questioning the f...