Upgrade Tomcat 8.5.35 to 8.5.69

A client has requested that we upgrade Tomcat for security purposes. I tried downloading 8.5.69 (core zip), extracting to a temp location, stopping the Tomcat service, and copying the lib folder to lucee\tomcat\lib overwriting. The Tomcat service fails to restart.

I also tried copying other files from the temp location, but nothing seemed to work. At one point I was able to get the Tomcat service to restart, but Lucee admin failed to run.

Any ideas? Thanks.

OS: Windows Server 2012 R2 (6.3) 64bit
Java Version: 1.8.0_192
Tomcat Version: 8.5.35
Lucee Version: 5.3.7.48

try running C:\lucee\tomcat\bin\startup.bat via the command line, you should get some hopefully useful error messages

Check the logs dir for clues, specifically catalina.out


Pete Freitag
Foundeo Inc.

Zackster, thanks. After setting some environment variables, startup.bat returned the following:

C:\Windows\System32>c:\lucee\tomcat\bin\startup.bat
Using CATALINA_BASE:   "c:\lucee\tomcat\"
Using CATALINA_HOME:   "c:\lucee\tomcat\"
Using CATALINA_TMPDIR: "c:\lucee\tomcat\\temp"
Using JRE_HOME:        "c:\lucee\jdk\"
Using CLASSPATH:       "c:\lucee\tomcat\\bin\bootstrap.jar;c:\lucee\tomcat\\bin\tomcat-juli.jar"

I didn’t notice any error messages.

pfreitag:

I saw the following exception:

05-Aug-2021 07:07:29.605 SEVERE [main] org.apache.tomcat.util.digester.Digester.startElement Begin event threw exception
 java.lang.ClassNotFoundException: mod_cfml.core

I copied mod_cfml-valve_v1.1.05.jar from the lib-old to the new lib folder, and the service started. Lucee Admin runs and shows Tomcat 8.5.69

Thanks a bundle.

Even though Lucee Admin started, my website start page is not loading. The browser simply hangs with no timeout message. I saw the following in the catalina log:
05-Aug-2021 07:16:03.857 SEVERE [main] org.apache.catalina.core.StandardService.startInternal

Failed to start connector [Connector[AJP/1.3-8009]]
 org.apache.catalina.LifecycleException: Protocol handler start failed
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1102)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:444)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:353)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:493)
Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
	at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:1099)

I’m not sure how to correct this problem.

The cause is, that you have in your server.xml the secretRequired=“true” but attribute but no password in the ajp connector. Set it to false if you are not in a shared environment, or set a password. Of so, you need to set a password for your boncode connector also, an upgrade of boncode connector may be necessary.

See this post and the following
https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/3?u=andreas

1 Like

Thanks andreas. I set it to “false” for now.

1 Like

@bill you may experience constant 1second delays after the upgrade. This is a bug in Tomcat’s AJP connector and you can fix it by setting the address attribute to ::1. The “how to” is also posted in the ghostcat thread here

1 Like