Update your CentOS system. First things first, you need to update the system to the latest stable. A Simple Step-By-Step Guide To Apache Tomcat SSL Configuration Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication. Technically, the term 'SSL' now refers to the Transport Layer ouSecurity (TLS) protocol, which is based on the original SSL specification. File list of apache-tomcat-8.0.0-RC5.zip: apache-tomcat-8.0.0-RC5. 58034 LICENSE 1442 NOTICE 7103 RELEASE-NOTES 16742 RUNNING.txt 27726 bin bootstrap.jar 2168 bin catalina-tasks.xml 14035 bin catalina.bat 21066 bin catalina.sh 204944 bin commons-daemon-native.tar.gz 24283 bin commons-daemon.jar 2131 bin configtest.bat 1982 bin configtest.sh 1343 bin cpappend.bat 7940 bin daemon.sh 2178 bin. Apache Tomcat is an open source implementation of the Java Servlet and JavaServer Pages technologies. 2020-04-06 Tomcat 8.5.65 Released. The Apache Tomcat Project is proud to announce the release of version 8.5.65 of Apache Tomcat. The notable changes compared to 8.5.
Apache Tomcat is the leading Java application server by market share and the world's most widely used web application server overall. Currently at version 8, the popular web server has not been without its security flaws, perhaps most famously publicized in this incident of aircraft hacking by security researcher Chris Roberts earlier this year. However, hardening Tomcat's default configuration is just plain good security sense—even if you don't plan on using it on your plane's network. The following are 15 way to secure Apache Tomcat 8, out-of-the-box.
1. Don't run Tomcat as the root user
This line of advice applies to most web server platforms. Web-related services should not be run by user accounts with a high level of administrative access. In Tomcat's case, a user with the minimum necessary OS permissions should be created exclusively to run the Tomcat process.
2. Remove any default sample or test web applications
Most web server platforms also provide a set of sample or test web application for demo and learning purposes. These applications have been known to harbor vulnerabilities, and should be removed if not in use. Tomcat's examples web application is an application that should be removed to prevent exploitation.
3. Put Tomcat's shutdown procedure on lockdown
This prevents malicious actors from shutting down Tomcat's web services. Either disable the shutdown port by setting the port attribute in the server.xml file to -1. If the port must be kept open, be sure to configure a strong password for shutdown.
4. Disable support for TRACE requests
Though useful for debugging, enabling allowTrace can expose some browsers to an cross-site scripting XSS attack. This can be mitigated by disabling allowTrace in the server.xml file.
5. Disable sending of the X-Powered-By HTTP header
If enabled, Tomcat will send information such as the Servlet and JSP specification versions and the full Tomcat version, among others. This gives attackers a workable starting point to craft an attack. To prevent this information leakage, disable the xpoweredBy attribute in the server.xml file.
6. Disable SSLv3 to prevent POODLE attacks
POODLE is a SSL v3 protocol vulnerability discovered in 2014. An attacker can gain access to sensitive information such as passwords and browser cookies by exploiting this vulnerability; subsequently, SSL v3 (and SSL in general) should not be included in server.xml file under the sslEnabledProtocols attribute.
7. Set the deployXML attribute to false in a hosted environment
The prevents would-be attackers from attempting to increase privileges to a web application by packaging an altered/custom context.xml. This is especially critical in hosted environments where other web applications sharing the same server resources cannot be trusted.
8. Configure and use realms judiciously
Tomcat's realms are designed differently and their limitations should be understood before use. For example, the DataSourceRealm should be used in place of the JDBCRealm, as the latter is single threaded for all authentication/authorization options and not suited for production use. The JAASRealm should also be avoided, as it is seldom used and sports an immature codebase.
9. Set Tomcat to create new facade object for each request
This can be configured by setting the org.apache.catalina.connector.RECYCLE_FACADES system property to true. By doing this, you reduce the chance of a buggy application exposing data between requests.
10. Ensure that access to resources is set to read-only
This can be done by setting readonly to true under DefaultServlet, effectively preventing clients from deleting/modifying static resources on the server and uploading new resources.
11. Disable Tomcat from displaying directory listings
Listing the contents of directories with a large number of files can consume considerable system resources, and can therefore be used in a denial-of-service (DoS) attack. Setting listings to false under DefaultServlet mitigates this risk.
12. Enable logging of network traffic
In general, logs should generated and maintained on all levels (e.g., user access, Tomcat internals, et al), but network traffic logging is especially useful for breach assessment and forensics. To set up your Tomcat application to create logs of network traffic, use/configure the AccessLogValve component.
13. Disable automated deployment if not in use
If you're running a fully-realized CI/CD pipeline, good for you—you'll need full use of Tomcat's host components. However, if not—be sure to set all the host attributes to false (autoDeploy, deployOnStartup, and deployXML) to prevent them from being compromised by an attacker.
14. Disable or limit the Tomcat Manager Webapp
Tomcat Manager enables easy configuration and management of Tomcat instances through one web interface. Convenient, no doubt—for both authorized administrators and attackers. Alternative methods for administering Tomcat instances are therefore better, but if Tomcat Manager must be used, be sure to use its configuration options to limit your risk exposure.
15. Limit the availability of connectors
Connectors by default listen to all interfaces. For better security, they should only listen to those required by your web application and ignore the rest. This can be accomplished by setting the address attribute of the connector element.
In short, Apache Tomcat's popularity invariably means that its vulnerabilities and exploits are well known by both security professionals and malicious actors alike. Out-of-the-box security is never sufficient for protecting against today's cyber threats, and proper hardening of Tomcat is especially critical given the server platform's ubiquity. Looking for a way to perform these hardening checks and more, automatically—with just a few mouse clicks? Check out ScriptRock's platform for vulnerability detection and security monitoring. It's free for up to 10 servers, so try it today on us.
Sources
Content
Apache Tomcat
The Apache Tomcat® software is an open source implementationof theJakarta Servlet,Jakarta Server Pages,Jakarta Expression Language,Jakarta WebSocket,Jakarta Annotations andJakarta Authenticationspecifications. These specifications are part of theJakarta EE platform.
The Jakarta EE platform is the evolution of the Java EE platform. Tomcat 10and later implement specifications developed as part of Jakarta EE. Tomcat 9 andearlier implement specifications developed as part of Java EE.
The Apache Tomcat software is developed in an open and participatoryenvironment and released under theApache License version 2. TheApache Tomcat project is intended to be a collaboration of the best-of-breeddevelopers from around the world. We invite you to participate in this opendevelopment project. To learn more about getting involved,click here.
Apache Tomcat software powers numerous large-scale, mission-critical webapplications across a diverse range of industries and organizations. Some ofthese users and their stories are listed on thePoweredBywiki page.
Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcatproject logo are trademarks of the Apache Software Foundation.
2021-04-26 Tomcat 7.0.109 Released
The Apache Tomcat Project is proud to announce the release of version 7.0.109 ofApache Tomcat. This release implements specifications that are part of the JavaEE 6 platform. This release contains a number of bug fixes and improvementscompared to version 7.0.108.
Full details of these changes, and all the other changes, are available in theTomcat 7 changelog.
Note: Apache Tomcat 7.0.x has reached end of life.Read more...
2021-04-06 Tomcat 10.0.5 Released
The Apache Tomcat Project is proud to announce the release of version 10.0.5of Apache Tomcat. This release implements specifications that are part of theJakarta EE 9 platform.
Applications that run on Tomcat 9 and earlier will not run on Tomcat 10without changes. Java EE based applications designed for Tomcat 9 and earliermay be placed in the $CATALINA_BASE/webapps-javaee directory andTomcat will automatically convert them to Jakarta EE and copy them to thewebapps directory. This conversion is performed using theApache Tomcatmigration tool for Jakarta EE tool which is also available as a separatedownload for off-line use.
The notable changes in this release are:
- Fix a regression in 10.0.4 that meant that an error during an asynchronous read broke all future asynchronous reads associated with the same request instance.
- Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer.
- Update the packaged version of Tomcat Native to 1.2.27 to pick up binaries built with OpenSSL 1.1.1k.
Full details of these changes, and all the other changes, are available in theTomcat 10changelog.
2021-04-06 Tomcat 9.0.45 Released
The Apache Tomcat Project is proud to announce the release of version 9.0.45of Apache Tomcat. This release implements specifications that are part of theJava EE 8 platform. The notable changes compared to 9.0.44 include:
- Fix a regression in 9.0.44 that meant that an error during an asynchronous read broke all future asynchronous reads associated with the same request instance.
- Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer.
- Update the packaged version of Tomcat Native to 1.2.27 to pick up binaries built with OpenSSL 1.1.1k.
Full details of these changes, and all the other changes, are available in theTomcat 9changelog.
2020-04-06 Tomcat 8.5.65 Released
The Apache Tomcat Project is proud to announce the release of version 8.5.65of Apache Tomcat. This release implements specifications that are part of theJava EE 7 platform. The notable changes compared to 8.5.64 include:
- Fix a regression in 8.5.64 that meant that an error during an asynchronous read broke all future asynchronous reads associated with the same request instance.
- Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer.
- Update the packaged version of Tomcat Native to 1.2.27 to pick up binaries built with OpenSSL 1.1.1k.
Full details of these changes, and all the other changes, are available in theTomcat 8.5changelog.
2021-04-06 Tomcat Native 1.2.28 Released
The Apache Tomcat Project is proud to announce the release of version 1.2.28 ofTomcat Native. The notable changes since 1.2.27 include:
- Correct a regression in the fix for 65181 that prevented an error message from being displayed if an invalid key file was provided and no OpenSSL Engine was configured.
Download |ChangeLog for 1.2.28
2021-02-18 Tomcat Migration Tool for Jakarta EE 0.2.0 Released
The Apache Tomcat Project is proud to announce the release of 0.2.0 of theApache Tomcat Migration Tool for Jakarta EE. This release contains a number ofbug fixes and improvements compared to version 0.1.0.
The notable changes in this release are:
- Various fixes to the packages that are and are not converted
- A new option to process zip archives in memory to support zip files that use options that are incompatible with a streaming approach
- A new option to exclude files from transformation
Tomcat 8080
Full details of these changes, and all the other changes, are available in thechangelog.
2020-03-06 Tomcat Connectors 1.2.48 Released
The Apache Tomcat Project is proud to announce the release of version 1.2.48 ofApache Tomcat Connectors.This version fixes a number of bugs found in previous releases.
Download |ChangeLog for 1.2.48
2015-03-17 Apache Standard Taglib 1.2.5 Released
The Apache Tomcat Project is proud to announce the release of version 1.2.5 ofthe Standard Taglib. This tag library provides Apache's implementation of the JSTL 1.2 specification.
Version 1.2.5 is a minor bug fix release reverting a change made in 1.2.1 where<c:import> modified the HTTP method during POST operations, and fixing anissues that resulted in an AccessControlException during startup unlesspermission was granted to read the accessExternalEntity property.
Please see the Taglibs section for more details.
Download |Changes
2013-11-11 Tomcat Maven Plugin 2.2 Released
The Apache Tomcat team is pleased to announce the release of Tomcat Maven Plugin 2.2.Changelog available here.
The Apache Tomcat Maven Plugin provides goalsto manipulate WAR projects within the Apache Tomcat servlet container.
Tomcat 8.0 Download
The binaries are available from Maven repositories. You should specify theversion in your project's plugin configuration:
Tomcat 8.5.51
or
Tomcat 8
Old news