Upgrade Tomcat 8.5.35 to 8.5.69

A client has requested that we upgrade Tomcat for security purposes. I tried downloading 8.5.69 (core zip), extracting to a temp location, stopping the Tomcat service, and copying the lib folder to lucee\tomcat\lib overwriting. The Tomcat service fails to restart.

I also tried copying other files from the temp location, but nothing seemed to work. At one point I was able to get the Tomcat service to restart, but Lucee admin failed to run.

Any ideas? Thanks.

OS: Windows Server 2012 R2 (6.3) 64bit
Java Version: 1.8.0_192
Tomcat Version: 8.5.35
Lucee Version: 5.3.7.48

try running C:\lucee\tomcat\bin\startup.bat via the command line, you should get some hopefully useful error messages

Check the logs dir for clues, specifically catalina.out

–
Pete Freitag
Foundeo Inc.

Zackster, thanks. After setting some environment variables, startup.bat returned the following:

C:\Windows\System32>c:\lucee\tomcat\bin\startup.bat
Using CATALINA_BASE:   "c:\lucee\tomcat\"
Using CATALINA_HOME:   "c:\lucee\tomcat\"
Using CATALINA_TMPDIR: "c:\lucee\tomcat\\temp"
Using JRE_HOME:        "c:\lucee\jdk\"
Using CLASSPATH:       "c:\lucee\tomcat\\bin\bootstrap.jar;c:\lucee\tomcat\\bin\tomcat-juli.jar"

I didn’t notice any error messages.

pfreitag:

I saw the following exception:

05-Aug-2021 07:07:29.605 SEVERE [main] org.apache.tomcat.util.digester.Digester.startElement Begin event threw exception
 java.lang.ClassNotFoundException: mod_cfml.core

I copied mod_cfml-valve_v1.1.05.jar from the lib-old to the new lib folder, and the service started. Lucee Admin runs and shows Tomcat 8.5.69

Thanks a bundle.

Even though Lucee Admin started, my website start page is not loading. The browser simply hangs with no timeout message. I saw the following in the catalina log:
05-Aug-2021 07:16:03.857 SEVERE [main] org.apache.catalina.core.StandardService.startInternal

Failed to start connector [Connector[AJP/1.3-8009]]
 org.apache.catalina.LifecycleException: Protocol handler start failed
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1102)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:444)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:493)
Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
	at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1099)

I’m not sure how to correct this problem.

The cause is, that you have in your server.xml the secretRequired=“true” but attribute but no password in the ajp connector. Set it to false if you are not in a shared environment, or set a password. Of so, you need to set a password for your boncode connector also, an upgrade of boncode connector may be necessary.

See this post and the following
https://lucee.daemonite.io/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/3?u=andreas

1 Like

Thanks andreas. I set it to “false” for now.

1 Like

@bill you may experience constant 1second delays after the upgrade. This is a bug in Tomcat’s AJP connector and you can fix it by setting the address attribute to ::1. The “how to” is also posted in the ghostcat thread here

1 Like