Help on upgrade tomcat bundled with JBoss for resolving tomcat security issue -[SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability

Mon, 25 Oct 2010 19:42:36 -0700 

Dear Sir/Madam, 

Recently it has been checked that there is security vulnerability for the 
tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1. 

>From the link below, it is recommended to upgrade to 5.5.28. 

http://marc.info/?l=tomcat-user&m=124449799021571&w=2 

We have tried to upgrade the some tomcat library for version 5.5.31 by 
following with the steps we found in the web in 
http://itapproaches.blogspot.com/2010/08/upgrading-tomcat-in-jboss-405.html 


Yet we have encountered the exception (as attached for your reference). 

Should we upgrade the tomcat only, without upgrading the JBoss AS? 

We would much appreciate it if you could advise you how we could resolve 
the situation,  so as to address the security vulnerability at your 
earliest convenience. 

Thanks for your effort in advance. 

Again, here is our configuration:
JBoss 4.0.3SP1
Tomcat 5.5.9

Many thanks!
Wilson Fu 

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from 
fulfilling this request.

exception

javax.servlet.ServletException: 
org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
        
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

root cause

java.lang.AbstractMethodError: 
org.jboss.web.tomcat.tc5.jasper.JspServletOptions.isCaching()Z
        org.apache.jasper.compiler.Parser.parseTaglibDirective(Parser.java:425)
        org.apache.jasper.compiler.Parser.parseDirective(Parser.java:499)
        org.apache.jasper.compiler.Parser.parseElements(Parser.java:1558)
        org.apache.jasper.compiler.Parser.parse(Parser.java:130)
        
org.apache.jasper.compiler.ParserController.doParse(ParserController.java:245)
        
org.apache.jasper.compiler.ParserController.parse(ParserController.java:101)
        org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:176)
        org.apache.jasper.compiler.Compiler.compile(Compiler.java:317)
        org.apache.jasper.compiler.Compiler.compile(Compiler.java:298)
        org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
        
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:565)
        
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:309)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:308)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
        
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to