On 10/01/2022 09:22, Scott,Tim wrote:
Hi all, We've started to use software from dependency tracker dot com to analyse dependencies in our web applications and it highlighted the following: "The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError." My question would be whether it is sufficient to update the application .war file to use, for example, version 9.0.56 of tomcat-servlet-api and related libraries or do we also have to deploy with Tomcat 9.0.54+?
No, for several reasons. 1. The code that triggers the memory leak isn't in the API JARs. 2. Java EE API JARs for APIs provided by Tomcat (Servlet, JSP, EL, WebSocket and JASPIC) should not be packaged with a web application (i.e. they should not be in WEB-INF/lib) 3. Tomcat ignores all Java EE API classes packaged in web applications if Tomcat provides that API.
I'm guessing that updating the .war file would remedy the application memory leak
Nope. Since there is no application memory leak as a result of this bug.
and updating the deployment version would remedy the memory leak in the Tomcat service itself - but I don't like to leave this to guesswork. We've had reports of memory leaks causing problems.
You need to update the version of Tomcat you are running on. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org