Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException

Daniel Mikusa Thu, 08 Aug 2013 07:16:44 -0700

On Aug 8, 2013, at 7:05 AM, "Edao, Aliye" <aliye.e...@atos.net> wrote:


> Dear all,
> 
> Altering ${catalina_home}/lib/org/apache/catalina/util/ServerInfo.properties 
> because of information disclosure concerns (TC version number)
> in apache-tomcat-6.0.37, apache-tomcat-7.0.40, apache-tomcat-7.0.42 and 
> Apache Tomcat/8.0.0-RC1 as mentioned in the documentation
> (http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html, 
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html)
> leads to ClassNotFoundException and Tomcat cannot be started.
> 
> The older versions of Tomcat 6 and Tomcat 7 are not affected. Is this now 
> intended or did I miss something?
> 
> Error message (Tomcat 8):

I'm not seeing this issue in my environment.  I've pulled and built Tomcat 8 
from SVN though.  Perhaps you could try that and see if the issue has already 
been resolved?

Here are the steps I followed:

1.) Check out Tomcat 8 from SVN (svn co 
https://svn.apache.org/repos/asf/tomcat/trunk/ tomcat-trunk)
2.) Build  (instructions can be found here ->  
https://svn.apache.org/repos/asf/tomcat/trunk/BUILDING.txt)
3.) cd to output/build/
4.) cd to lib
5.) mkdir -p org/apache/catalina/util
6.) unzip catalina.jar org/apache/catalina/util/ServerInfo.properties
7.) Edit org/apache/catalina/util/ServerInfo.properties, replace info with 
"N/A".
8.) ./bin/startup.sh
9.) Check the logs, which were clean for me.
10.) curl http://localhost:8080/does-not-exist verify output has version listed 
as "N/A".

Dan

> 
> java.lang.ClassNotFoundException: org.apache.catalina.startup.Catalina
>        at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
>        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>        at java.security.AccessController.doPrivileged(Native Method)
>        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
>        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
>        at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:271)
>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:461)
> 
> Tomcat:
> 
> apache-tomcat-6.0.37
> apache-tomcat-7.0.40
> apache-tomcat-7.0.42
> Tomcat/8.0.0-RC1
> 
> JDK:
> Oracle jdk1.7.0_25
> 
> OS:
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11
> PATCHLEVEL = 1
> 
> Thank you very much!
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Altering ServerInfo.properties in Tomcat => ClassNotFoundException

Reply via email to