You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Edao, Aliye" <al...@atos.net> on 2013/08/08 13:05:27 UTC
Altering ServerInfo.properties in Tomcat => ClassNotFoundException
Dear all,
Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties because of information disclosure concerns (TC version number)
in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
(http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html, http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
leads to ClassNotFoundException and Tomcat cannot be started.
The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now intended or did I miss something?
Error message (Tomcat 8):
java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
Tomcat:
apache-tomcat-6.0.37
apache-tomcat-7.0.40
apache-tomcat-7.0.42
Tomcat/8.0.0-RC1
JDK:
Oracle jdk1.7.0_25
OS:
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
Thank you very much!
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
Posted by Mark Eggers <it...@yahoo.com>.
On 8/8/2013 7:14 AM, Daniel Mikusa wrote:
> On Aug 8, 2013, at 7:05 AM, "Edao, Aliye" <al...@atos.net> wrote:
>
>> Dear all,
>>
>> Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties because of information disclosure concerns (TC version number)
>> in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
>> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html, http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
>> leads to ClassNotFoundException and Tomcat cannot be started.
>>
>> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now intended or did I miss something?
>>
>> Error message (Tomcat 8):
>
> I'm not seeing this issue in my environment. I've pulled and built Tomcat 8 from SVN though. Perhaps you could try that and see if the issue has already been resolved?
>
> Here are the steps I followed:
>
> 1.) Check out Tomcat 8 from SVN (svn co https://svn.apache.org/repos/asf/tomcat/trunk/ tomcat-trunk)
> 2.) Build (instructions can be found here -> https://svn.apache.org/repos/asf/tomcat/trunk/BUILDING.txt)
> 3.) cd to output/build/
> 4.) cd to lib
> 5.) mkdir -p org/apache/catalina/util
> 6.) unzip catalina.jar org/apache/catalina/util/ServerInfo.properties
> 7.) Edit org/apache/catalina/util/ServerInfo.properties, replace info with "N/A".
> 8.) ./bin/startup.sh
> 9.) Check the logs, which were clean for me.
> 10.) curl http://localhost:8080/does-not-exist verify output has version listed as "N/A".
>
> Dan
I'm not seeing this in my environment either:
1. 64 bit Windows 7
2. JRE 1.7.0_25
3. Tomcat 7.0.42
a. create a file
%CATALINA_HOME%\lib\org\apache\catalina\util\ServerInfo.properties
b. server.info=unknown
c. start up Tomcat from batch file
d. clean logs
e. Browse to http://localhost:8080/foo
f. get Server unknown at the bottom of the error page
g. Manager application also reports unknown for server version
/mde/
>
>>
>> java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
>> at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>> at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>> at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
>> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
>> at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
>>
>> Tomcat:
>>
>> apache-tomcat-6.0.37
>> apache-tomcat-7.0.40
>> apache-tomcat-7.0.42
>> Tomcat/8.0.0-RC1
>>
>> JDK:
>> Oracle jdk1.7.0_25
>>
>> OS:
>> SUSE Linux Enterprise Server 11 (x86_64)
>> VERSION = 11
>> PATCHLEVEL = 1
>>
>> Thank you very much!
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Aug 8, 2013, at 7:05 AM, "Edao, Aliye" <al...@atos.net> wrote:
> Dear all,
>
> Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties because of information disclosure concerns (TC version number)
> in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html, http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
> leads to ClassNotFoundException and Tomcat cannot be started.
>
> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now intended or did I miss something?
>
> Error message (Tomcat 8):
I'm not seeing this issue in my environment. I've pulled and built Tomcat 8 from SVN though. Perhaps you could try that and see if the issue has already been resolved?
Here are the steps I followed:
1.) Check out Tomcat 8 from SVN (svn co https://svn.apache.org/repos/asf/tomcat/trunk/ tomcat-trunk)
2.) Build (instructions can be found here -> https://svn.apache.org/repos/asf/tomcat/trunk/BUILDING.txt)
3.) cd to output/build/
4.) cd to lib
5.) mkdir -p org/apache/catalina/util
6.) unzip catalina.jar org/apache/catalina/util/ServerInfo.properties
7.) Edit org/apache/catalina/util/ServerInfo.properties, replace info with "N/A".
8.) ./bin/startup.sh
9.) Check the logs, which were clean for me.
10.) curl http://localhost:8080/does-not-exist verify output has version listed as "N/A".
Dan
>
> java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
> at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
> at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
>
> Tomcat:
>
> apache-tomcat-6.0.37
> apache-tomcat-7.0.40
> apache-tomcat-7.0.42
> Tomcat/8.0.0-RC1
>
> JDK:
> Oracle jdk1.7.0_25
>
> OS:
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 1
>
> Thank you very much!
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aliye,
On 8/8/13 7:05 AM, Edao, Aliye wrote:
> Dear all,
>
> Altering
> ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties
> because of information disclosure concerns (TC version number) in
> apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42
> and Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html,
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html) leads
> to ClassNotFoundException and Tomcat cannot be started.
>
> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is
> this now intended or did I miss something?
>
> Error message (Tomcat 8):
>
> java.lang.ClassNotFoundException:
> org.apache.catalina.startup.Catalina at
> java.net.URLClassLoader$1.run(URLClassLoader.java:366) at
> java.net.URLClassLoader$1.run(URLClassLoader.java:355) at
> java.security.AccessController.doPrivileged(Native Method) at
> java.net.URLClassLoader.findClass(URLClassLoader.java:354) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:424) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:357) at
> org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271) at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
>
> Tomcat:
>
> apache-tomcat-6.0.37 apache-tomcat-7.0.40 apache-tomcat-7.0.42
> Tomcat/8.0.0-RC1
What is the difference between your ServerInfo.properties and the one
from catalina.jar?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSA6ZIAAoJEBzwKT+lPKRYyM0QALWYY0XspcBn8hXfeJDGnQCz
ooC6p/LCL+2FZq0gJA08nWmv7u72tgQfUUonHKExffJuK23gEGMoecQLP3r0AwKS
YD4Z7AqKHePH+rnigf/LkS+sKqB1OROuIDo7mjFY1Num8keovyTwJxpyqzUbUjUA
6SNF55ILH1X48gUqCyV2AatxQv+wz3ibFN16WWpQ1Lj9do3jlsJtsrANppAX+oxT
0wDJ7a85jeSG2DIIECOYWvWwYGv+fDx/WrXWNA5FbsVC86ov0Uc4e27BORTe7CmV
GvcJtccKlSK/X4CrGFP5U6KhcuNwHsMPtoDs5vEDgoPseHA21Ea1o6YzR+9lPwvr
CzCK9uBv1dHg4YFJvDWF204OAu+/KPHBuRQmy2czkDWhsQESZ/mOFHB8MCkRa2O6
gKRwcDeZAdSD+rYxWTYSwHa53qEv36ymEDDfsU+X3DJ20sIdLeZQjD6XUIG4an5X
jAPdHIOgJhWzvjSwq5zlCOzk5TZnmEgjv3z1iWQIA2W2DRrjUeFBmDA/8ceP13sY
LnBv7GWmPsLCPrnwEqnAsazIH5FLFlkOy3xyqYCT+R2u3su4bUSVeUhpefGdiBgS
EWU3qJSH+LOKgppbB++uggiftT/6iQKH1EJRyTvFvN9CGdGwdeuY3lbnbhh4AP8F
FGyiq6eugLJKF8943mAO
=Vs+L
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org