-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Web Server
3.1.0 Release Notes
For Use with Red Hat JBoss Web Server 3.1
Abstract
Chapter 1. Introduction to Red Hat JBoss Web Server 3.1
Welcome to Red Hat JBoss Web Server, formerly known as JBoss Enterprise Web Server. These Release Notes detail information about new features, enhancements, technical preview, known issues, and resolved issues. Use this document in conjunction with the entire JBoss Web Server 3.1 documentation suite, available on the Red Hat Customer Portal: https://access.redhat.com/documentation/en/red-hat-jboss-web-server/.
1.1. About Red Hat JBoss Web Server
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of a web server (Apache HTTP Server), application server (Apache Tomcat Servlet container), load balancers (mod_jk and mod_cluster), and the Tomcat Native Library.
Chapter 2. New Features and Enhancements
2.1. Apache HTTP Server Separated from Tomcat
The Apache HTTP Server distribution is now shared between the JWS and JBoss Core Services entitlements. The shared distribution can be downloaded in ZIP from Apache HTTP Server download page on the support portal. The RPM distribution of HTTP must be consumed from the JBCS channel, while the Tomcat servers will continue to be delivered in the JWS3 channel.
Installation instructions for the Apache HTTP Server are provided in the Apache HTTP Server Installation Guide. You should refer to that guide for instructions for ZIP and RPM setup on the set of supported operating systems.
Maintenance for the Apache HTTP Server and the Tomcat servers will no longer be coordinated in JWS minor and micro releases. The HTTP server and the Tomcat servers will receive independent updates intended to provide more timely fixes for security and other high priority defect fixes.
2.2. Transition from httpd24 (JWS3 Channel) to jbcs-httpd24-httpd (JBCS Channel)
To install httpd
with JWS 3.1.0, you need to subscribe and enable the JBCS channel. The httpd
package has moved from the JWS channel to the JBCS channel. If you are using httpd
, then migrate from the httpd24
package in JWS to the JBCS software collections new jbcs-httpd24-httpd
package.
2.3. tomcat-native Dependencies Available in the JBCS Channel
The tomcat-native
package requires the jbcs-httpd24-httpd-libs
and jbcs-httpd24-openssl
packages, which are available only in the JBCS channel. To access them, you have to subscribe and enable the JBCS channel.
2.4. Tomcat
- Inclusion of the latest available version of Tomcat 8.0.36.
- Inclusion of the latest available version of Tomcat 7.0.70.
-
Replaced the existing
init
scripts for Tomcat 7 and Tomcat 8 withsystemd
units on Red Hat Enterprise Linux 7.
2.5. Using a Password Vault with Red Hat JBoss Web Server 3.1
A password vault is used to mask passwords and other sensitive strings, and store them in an encrypted Java keystore. This allows you to eliminate storing clear-text passwords in your Tomcat configuration files, as Tomcat can lookup passwords and other sensitive strings from a keystore using the vault.
For more information about using password vault, see Using a Password Vault with Red Hat JBoss Web Server 3.1.
2.6. SELinux Policies in RHEL ZIP for Tomcat
In this release, SELinux policies are provided in the ZIP packages. The SELinux security model is enforced by the kernel and ensures applications have limited access to resources such as file system locations and ports. This helps ensure that the errant processes (either compromised or poorly configured) are restricted and in some cases prevented from running. The .postinstall.selinux
file is included in each tomcat
folder. If required, you can run the postinstall.selinux
script.
To install the SELinux policies using ZIP:
Install the prerequisite packages:
-
selinux-policy-devel
- Tomcat 7 or 8
-
- Download and unzip the JWS Tomcat distribution from the JWS channel.
Execute the following commands:
cd $JWS_HOME/tomcat7 OR cd $JWS_HOME/tomcat8 sh .postinstall.selinux cd selinux make -f /usr/share/selinux/devel/Makefile semodule -i tomcat7.pp OR semodule -i tomcat8.pp cd $JWS_HOME
Start the Tomcat service.
bin/startup.sh
Check the context of the running process expecting
tomcat7_t
.ps -eZf | grep tomcat | head -n1
To verify the contexts of the Tomcat log directory and so on.
ls -lZ tomcat7/logs/
2.7. SELinux Policies in RHEL RPM for Tomcat
SELinux policies for each Tomcat are provided via their own Tomcat sub-packages: tomcat7-selinux
and tomcat8-selinux
. These packages are available in the JWS channel.
-
To enable SELinux policies on Tomcat 7, install the
tomcat7-selinux
package. -
To enable SELinux policies on Tomcat 8, install the
tomcat8-selinux
package.
2.8. Hibernate
- Upgraded to Hibernate version 4.2.23.
2.9. Microsoft Azure Testing and Certification
- JBoss Web Server 3.1 has been tested and certified for Microsoft Azure.
2.10. Updated CGIServlet to Resolve httpoxy Issue
In this release, a CGIServlet fix is provided for the httpoxy issue, see CVE-2016-5388. The envHttpHeaders
parameter is included in the CGIServlet to solve the httpoxy issue.
You can also configure the filter and valve to resolve the httpoxy issue. For more information about using the filter and valve, see HTTPoxy - Is my JBoss/tomcat affected?.
Chapter 3. Technology Preview
The following configurations and features are provided as technology previews only. They are not supported in a production environment, and may be subject to significant changes. See this note on the Red Hat Customer Portal on the support scope for Technology Preview features.
3.1. Configuring the web.xml to Use the SPNEGO Authentication Method
The SPNEGO authentication method is available as a technical preview.
Chapter 4. Verified CVEs
JWS-431 CVE-2016-3092 Tomcat: Usage of vulnerable FileUpload package can result in denial of service
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
JWS-498 CVE-2016-6794 Provide a mechanism that enables the container to check if a component has been granted a given permission
It was discovered that when a SecurityManager is configured, Tomcat’s system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
JWS-500 CVE-2016-6797 Tomcat: unrestricted access to global resources
It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
JWS-567 CVE-2016-0762 Tomcat: timing attack in Realm implementation
The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm, which makes exploitation of this vulnerability harder.
JWS-568 CVE-2016-6796 Tomcat: security manager bypass via JSP Servlet config parameters
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
JWS-569 CVE-2016-5018 Tomcat: security manager bypass via IntrospectHelper utility function
It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
JWS-577 CVE-2016-6816 Tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other than their own.
JWS-578 CVE-2016-8735 Tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
The JmxRemoteLifecycleListener was not updated to take account of Oracle’s fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.
JWS-619 CVE-2016-8745 Tomcat: information disclosure due to incorrect Processor sharing
A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This lead to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.
JWS-538 CVE-2016-1240 Tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation
It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.
JWS-490 CVE-2016-6325 Tomcat: tomcat writable config files allow privilege escalation
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
JWS-701 CVE-2017-5647 Tomcat: Incorrect handling of pipelined requests when send file was used
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
@TIM, MICHAL: THE MENTIONED JIRA IS NOT VISIBLE DUE TO THE CURRENT PERMISSION FOR THE JIRA. THIS NEEDS TO BE FIXED BY THE PM TEAM
JWS-668 CVE-2017-5648 Tomcat: Calls to application listeners did not use the appropriate facade object
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
@TIM, MICHAL: THE MENTIONED JIRA IS NOT VISIBLE DUE TO THE CURRENT PERMISSION FOR THE JIRA. THIS NEEDS TO BE FIXED BY THE PM TEAM
Chapter 5. Verified and Resolved Issues
5.1. Verified Issues
The following JIRAs have been verified in this release:
- JWS-162 - ASF Bug 57546 – Memory Leak in SecureNioChannel Tomcat8
- JWS-67 - ASF BZ 59859 – Windows Tomcat8 WebDAV move operation fails
- JWS-411 - RPM: dependency on base-os 'apr-util-ldap' package from '-optional' channel
- JWS-586 - Tomcat-vault INSTALL file is wrong
- JWS-572 - Possible async deadlocks
- JWS-516 - RHEL6 RPM: /usr/sbin/tomcat7 and /usr/sbin/tomcat8 don’t work
- JWS-499 - Compatibility with rewrite from httpd for non existing headers
- JWS-518 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
5.2. Resolved Issues
The following issues have been included in this release, but have yet to be functionally tested:
Chapter 6. Known Issues for the 3.1.0 Release
- JWS-365 - Socked bind failed on link-local (IPv6)
If you bind to a link-local IPv6 address, a SEVERE exception will be logged and the connector will fail to initialize.
Workaround
Bind the address in the configuration file without using the brackets. For instance, the following configuration snippet would bind correctly:
Listen ffff::ffff:ffff:ffff:ffff%3:80
- JWS-132 - JON Tomcat: NullPointerException when Tomcat Web Application (WAR) config change
When monitoring JBoss Web Server using JBoss ON, a
NullPointerException
similar to below may be thrown when a Tomcat web application’s configuration changed.java.lang.NullPointerException at org.rhq.plugins.jmx.MBeanResourceComponent.updateResourceConfiguration(MBeanResourceComponent.java:532) at org.jboss.on.plugins.tomcat.TomcatWarComponent.updateResourceConfiguration(TomcatWarComponent.java:950) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocation.call(ResourceContainer.java:759) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
The cause of this issue is currently under investigation.
Workaround
None
- JWS-86- Upgrading Tomcat plugin, metric names not updated
When upgrading a RHQ 4.5 installation to 4.6, the Tomcat plugin may not be properly updated. In this situation the following exception is thrown:
java.lang.IllegalArgumentException: The property [name] marked as required in the configuration definition of [Tomcat Connector] has no attribute 'default'
The cause of this issue is currently under investigation.
Workaround
None
- JWS-63 - Tomcat mod_cluster integration does not allow one to choose a connector
Configuring
mod_cluster
to usews://
withEnableWsTunnel
(mod_proxy_wstunnel
) requires Tomcat to use ahttp
connector, and does not allow you to use anajp
connector. At the moment, Tomcat ignores this option. This issue is expected to be fixed in a future update.Workaround
None
- JWS-185 - (ASF BZ 53971) IPv6: address slowing down Tomcat on MS Windows
When an IPv6 address is used to start Tomcat 7 on Microsoft Windows (for example,
<Connector port="8080" protocol="HTTP/1.1" address="::" />
), this results in a significantly slowed down shutdown process when Tomcat is shutdown. During the shutdown process, thecatalina.log
file contains a warning similar to the following:WARNING: Acceptor thread [http-0%3A0%3A0%3A0%3A0%3A0%3A0%3A0-8080-Acceptor-0] failed to unlock. Forcing hard socket shutdown
The cause of this issue is currently under investigation.
Workaround
None
- JWS-6 - hibernate c3p0 mchange-commons-java raises error on IBMJDK
If using
mchange-commons-java
in Hibernate c3p0 on an IBM JDK, ajava.lang.ClassNotFoundException: org.slf4j.ILoggerFactory
error may be thrown, such as the following:java.lang.ClassNotFoundException: org.slf4j.ILoggerFactory at org.apache.catalina.loader.WebappClassLoader.loadClass(Unknown Source) at org.apache.catalina.loader.WebappClassLoader.loadClass(Unknown Source) at java.lang.Class.forNameImpl(Native Method) at java.lang.Class.forName(Class.java:199) at com.mchange.v2.log.MLog.findByClassnames(MLog.java:143) at com.mchange.v2.log.MLog.refreshConfig(MLog.java:73) at com.mchange.v2.log.MLog.<clinit>(MLog.java:51)
The cause of this issue is currently under investigation.
Workaround
You can work around this issue by setting the following property in your application:
System.setProperty("com.mchange.v2.log.MLog", "com.mchange.v2.log.jdk14logging.Jdk14MLog");
- JWS-645 - Document tomcat-native dependency on JBCS channel for jbcs-httpd24-httpd-libs
Installing the
tomcat-native
package fails due to thejbcs-httpd24-httpd-libs
missing dependency.Workaround
Ensure that the JBCS channel is enabled on the system when installing the
tomcat-native
package.- JWS-653 - Solaris, Windows - same tomcat-juli-adapters.jar and tomcat-juli.jar for Tomcat 7 and 8
The
tomcat-juli
andtomcat-juli-adapters
JARs provided by theextras
libraries in thejws-application-servers
distribution for Windows and Solaris are incorrect for Tomcat 7. They are duplicates of the Tomcat 8 jars.Workaround
None
- JWS-521 - Add JSVC script to tomcat distribution
A JSVC wrapper was added to Tomcat on RHEL 6, however, the
init
script is missing. Additionally, the RHEL 7systemd
unit uses the system’s JSVC binary rather than the JBCS provided binary.Workaround
There is no workaround for the missing RHEL 6 init script. However, to workaround the RHEL 7
systemd
unit issue, you have to manually update the path of the JSVC binary in the/usr/libexec/tomcat*/functions
script to point to the correct/opt/rh/jbcs-httpd24/root/usr/bin/jsvc
binary.- JWS-470 - RHEL 6 RPM Confusing service status output for tomcat7 and tomcat8 installed both on RHEL system
When running multiple instances of tomcat the
init
script status command may return incorrect information.Workaround
None
- JWS-401 - Tomcat does not properly parse spaces in JVM parameters/settings
Tomcat fails to start when using
JAVA_OPTS
, which have spaces in them.Workaround
None
- JWS-657 - tomcat-native installs RHEL apr in addition to jbcs-httpd24-httpd-libs
The installation of the
tomcat-native
RPM still incorrectly requires the installation of theapr
/apr-util
libraries distributed with RHEL. However, these libraries are not required as theapr
/apr-utils
versions distributed by JBCS are used. This requirement for the unused RHELapr
/apr-util
libraries will be removed in a future update.Workaround
If the RHEL
apr
/apr-util
libraries are not installed, the system must be subscribed to the RHEL channel and the channel be enabled.- JWS-649 - Tomcat security-manager starting with errors in log
The manager and host-manager web applications fail to deploy when using the Security Manager.
Workaround
If you install the admin-webapps using the Security Manager, then move the
context.xml
from the manager and host-manager web applications, otherwise the admin applications will not deploy. Move fromCATALINA_HOME/webapps/[host-]manager/META-INF/context.xml
toCATALINA_HOME/conf/Catalina/localhost/[host-]manager.xml
.- JWS-280 - Running async example servlet multiple times causes Tomcat crash
If the async example servlet is run multiple times, it causes Tomcat to crash.
Workaround
None
- JWS-647 - Hibernate missing some JAR files in RPMs
If you install Hibernate using the RPM package from JWS3 channel, some files are missing.
Workaround
These missing Hibernate files are available in the ZIP distribution.
- JWS-663 - service.bat for Tomcat 8 does not correctly set library path, natives not loaded
The
service.bat
for Tomcat 8 does not correctly set the library path and so the natives are not loaded.Workaround
You have to manually append
C:\Program Files\jws-3.1\bin
to the system’s PATH and start the Tomcat 8 service again.- JWS-662 - Windows, Cannot unzip Hibernate zip in GUI: Error: Path too long
On Windows, the Hibernate ZIP files displays an error if you unzip it using the user interface.
Workaround
Use PowerShell to unzip the Hibernate file.
$src = "C:\Users\ben\Documents\3.1.0-CR7\hibernate-dist-3.1.0-CR7.zip" $dst = "C:\Users\ben\Documents\3.1.0-CR7\" Add-Type -assembly "system.io.compression.filesystem" [io.compression.zipfile]::ExtractToDirectory($src, $dst)
- JWS-654 - RHEL 7 RPM Tomcat does not properly parse spaces in JVM parameters/settings
Tomcat fails to start when using
JAVA_OPTS
, which have spaces in them.Workaround
Do not use spaces in parameters.
- JWS-633 - ASF BZ 60683 - Tomcat throws NPE after startup with sec. manager on IBM JDK17
When using the Security Manager and IBM JDK, Tomcat may respond with a 500 status that may be triggered by the compilation of large JSP files. This is caused by an unhanded
NullPointerException
.Workaround
You can precompile JSPs before deploying them to Tomcat.
- JWS-666 - RHEL 7 RPM - TOMCAT_USER variable ignored
The
TOMCAT_USER
andTOMCAT_GROUP
environment variables defined in thesysconfig
andtomcat
configuration files are ignored by the RHEL 7 systemd service units. This is a known issue for JWS 3.1.0 and is a limitation of the systemd design.Workaround
In order to update the
user/group
owner of the Tomcat processes with the new systemd service unit on RHEL 7, you will need to update theUser
andGroup
properties of the service unit (/usr/lib/systemd/system/tomcat7.service
and/usr/lib/systemd/system/tomcat8.service
) rather than thesysconfig
or tomcatconf
files.