CVS-exploit of Tomcat 9/10/11

Hi all,

Anyone know what to do about the serious CVS-exploit of Tomcat? Pertaining to all issues of Tomcat, also those installed with Lucee?

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98

1 Like

If you are talking about this:
https://www.cve.org/CVERecord?id=CVE-2024-56337

It effets all versions of tomcat, and it appears the binaries and source have not been released as of this morning to address the issue with tomcat.

Once down, you can upgrade tomcat and then install Lucee as a war, or await for the patch service to delivery an upated binary

1 Like

Apparently,

  1. the issue is relevant for versions of Apache Tomcat from 9.0.0.M1 through 9.0.97, from 10.1.0-M1 through 10.1.33 and from 11.0.0-M1 through 11.0.1;
  2. irrespective of the version in 1., the fix is to ensure that the Java property sun.io.useCanonCaches is set to false.
    That depends on the Java version on which the Tomcat server runs:
  • For Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true);

  • For Java 17 : the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false).

  • For Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

  • In short, if the Java version is 8 or 11, you can mitigate this issue manually by adding the flag

            -Dsun.io.useCanonCaches=false
    

    to the JVM settings.

5 Likes

I recently installed a fresh copy of Lucee and noted that it came with Tomcat 9.0.98 and Java 21.0.5, neither of which are affected. However, as BK_BK stated, there is a fix for other versions of Java.

Read Maintaining TomCat with Lucee to update Tomcat to 9.0.98 and if running Lucee 6.1.1.118, then you can also update Java to 21.

Note that if you saved trusted SSL certificates with Lucee, then in Lucee 6 the default truststore is now in Java rather than Lucee (see Secure LDAP docs does needs updating) and unless you set Lucee as the default truststore, you may have to re-trust certificates when updating Java, depending on your update method. Personally, I set the environment variable of lucee_use_lucee_SSL_TrustStore to a value of 1 and then use the Lucee truststore for SSL/TLS certificates, using the Lucee Admin GUI to install new certificates such as when trusting an LDAP server’s certificate. When updating Java, I just replace the whole contents of the ../lucee/jre folder with the Java update, without having to worry about re-trusting SSL certificates.

3 Likes

Hi, this worked fine for our Lucee5 installs in Windows, but cannot seem to get to the options sections of Java/Lucee on Windows 2022? Clicking the Tomcat9.exe usually gets you the Windows service settings, and hence editing the Java-tab, but this does not work op Windows 2022. Anyone an idea how to change the Windows service options of Lucee 6? When I do the same actions as described for Lucee 5, it just opens a settings window as fast as it closes it…

Not using Lucee 6 on windows here, but the Lucee/Tomcat service settings are normally stored, and editable, in the registry. On my machine for Lucee 5 they are in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\Lucee\Parameters\Java
1 Like

Thnx @Julian_Halliwell, this worked for me, for Lucee 6 on Windows 2022.
2 Bad it works differently on Windows versions, at least when doing it as described (partly) here: Setting properties and options on startup | Atlassian Support | Atlassian Documentation
But I guess doing it via the registry should always work :wink: .

1 Like

Sebastiaan, instead of running the tomcat9.exe (or tomcat9w.exe), you would want to run the luceew.exe, which is found alongside those in that [lucee]\tomcat\bin folder. It offers the UI you were seeking–and yep, it ends up editing the reg entry for you.

But it’s not new to Lucee 6. It was this way in Lucee 5 as well (for example, I have a reply in another thread here sharing this same tip in 2019.) And I can confirm that, yes, it works on Windows 2022 as well.

I certainly appreciate it’s not “common knowledge” that’s suggested often. People who don’t run the Lucee installer for Windows would not likely know of it, so that they often suggest editing files–which don’t end up affecting Lucee running as a service. And even folks having experience with the Tomcat installers for Windows and its service might try the Tomcat9w.exe–but again that doesn’t work here.

Hope this helps others who may ever seek the same sort of solution. :slight_smile:

Hi @carehart thnx 4 chiming in

The issue I had was that I do get the UI on somewhat older Windows machines, but not on Windows 2022 machines. I usually change the Java-settings for Lucee that way, but for this particular Lucee 6 install it does not work. It just quickly opens a window and closes it at once. Trying to access tomcat9w.exe or Luceew.exe (instead of tomcat9.exe) I get the message that the executables aren’t connected to a Windows Service, hence cannot be opened / edited / modified. That was my challenge, my workaround was doing it directly via the Registry.

Maybe it has something to do with the way Lucee 6 was installed (click - click - click, no deviant choices there in the official installer used, tomcat9.exe is connected to the Lucee 6 service in Windows), but I do not know. We’re installing Lucee 6 on another server in the coming weeks - I’ll C if we encounter the same issue there.

OK, and if you’re interested to diagnose and resolve things, I suspect we can below
First, like I said it worked as expected for me, on Server 2022, with the install run using the default values (“click-click-click”). And you’d only referred to using the tomcat9 and tomcat9w, which is why I’d explained the luceew.

1 ) As for the error with luceew, are you saying you get The specified service does not exist as an installed service? If so, note that it goes on to say, Unable to open the service "xxx". What is your xxx value? Is it “lucee” or something else? Take note of that.

Then go to Windows Services, and find the Lucee service (don’t worry if the name shown is something like, “Lucee 6.1.1.118 Apache Tomcat 9.0.98 lucee”). If you right-click it and choose properties, the first value is the “Service Name”–and in a default install that would indeed be just “lucee”. The longer name (in the services panel) is what’s shown in the properties as the “Display Name”. (For those who use the “Servics” tab in Task Manager, what’s shown there is indeed the “service name” rather than the “display name”. They often don’t match.)

Anyway, there’s one more related setting on that service properties page, the “path to executable”, which again by default might show, C:\lucee\tomcat\bin\tomcat9.exe //RS//lucee. Notice how that last arg is indeed pointing to the “service name” value. (Assuming those match, that’s why the service does at least run.)

2 ) But as for the luceew.exe, if you are getting the error I showed at the top, the problem is simply that your “service name” (again, not the “display name”) is NOT lucee. How do I know? Hold that thought.

And FWIW, someone COULD change that those service property values like the name, displayname, etc (or someone could have changed them) by editing those very registry entries you’re looking at, or by way of the Windows command line sc.exe tool, etc. But beware: if you DID change the service name, you’d then also have to change that “path to executable” to use a name that matches. Again, if the service starts, you may be better leaving that alone. Do this instead…

3 ) And here’s what may be a real hidden gem for some. Recall I’d said that the luceew.exe DOES work but only if the service name is indeed “lucee”. Well, what if the service name WAS changed, such as to lucee6, for example? How would you tell the luceew.exe to know that lucee6 was now the service name? Well, there’s NOT any sort of arg or config file. Instead, there’s a surprising aspect to that program (and same with the tomcat9w.exe).

It’s designed (by Tomcat, not Lucee) such that WHATEVER is the name of that exe, that’s the service name it tries to control.

So if your Lucee service name (again, not the “display name”) was indeed lucee6, then if you simply renamed the luceew.exe to lucee6w.exe, and now it WOULD work. I realize some will think, “no way!”, but try it. :slight_smile: It really is so–and again I have confirmed it on Windows 2022 as well. [Apologies, when I first posted this, I mistakenly wrote lucee6.exe, instead of lucee6w.exe. Just a mistake while editing my text.]

Anyway, I realize all this is a lot more than most in this thread may have cared to hear. Sorry. I just wanted to help Seb out on this path he was heading down. :slight_smile: It’s a trail others have traveled, and it’s one that’s just not discussed often. Those using the zip/Express or WAR or commandbox approach to running Lucee might not even hear your calling out from this valley. :slight_smile:

2 Likes

I’ll try this out 2morrow Charlie, thnx so far!

Sick, that just works, even without restarting the service :smiley: . Just wonderful, thnx @carehart . Now I can indeed change the Java-settings by double clicking on the LUCEE6.exe on Windows 2022! Yeaiii, never too old 2 learn something new :wink: .