Skip to content


Apache Tomcat 6.0.35前有拒绝服务,信息泄露等漏洞

Apache Tomcat 6.0.35前有信息泄露相关的一个漏洞(CVE-2011-3375),
以及另一个在此前广受关注的哈希碰撞引发拒绝服务(DoS)漏洞(CVE-2012-0022),
Apache 建议用户对 Tomcat 进行升级从而规避此漏洞。

http://tomcat.apache.org/security-6.html

一.安装Oracle JRockit
使用Oracle JRockit 可以提高tomcat性能
当前版本Oracle JRockit 6 – R28.2.3
Includes JRockit Mission Control 4.1 and JRockit Real Time 4.1
http://download.oracle.com/otn/bea/jrockit/jrockit-jdk1.6.0_31-R28.2.3-4.1.0-linux-x64.bin

需登录后下载

  1. chmod u+x jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin
  2. ./jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin

遇到以下错误可能是/tmp没有执行权限

  1. sh: jre150_12/bin/java: Permission denied
  2. ** Error during execution, error code = 32256.

按照提示一步步安装到
/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
做个软链接

  1. ln -s /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 /usr/jrrt

二.安装apr
yum install apr apr-util apr-devel

tomcat需要tomcat-native,而tomcat-native需要apr和openssl
没有apr启动tomcat可能会有以下错误

  1. 2012-4-20 13:28:37 org.apache.catalina.core.AprLifecycleListener init
  2. 信息: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64/jrockit:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/../lib/amd64

三.tomcat 安装
tomcat安装在/opt/下

  1. cd /root/src/
  2. wget http://labs.renren.com/apache-mirror/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz
  3. tar zxvf apache-tomcat-6.0.35.tar.gz
  4. mv apache-tomcat-6.0.35 /opt/
  5. cd /opt
  6. #复制配制文件
  7. cp -ar tomcat/conf/*.xml apache-tomcat-6.0.35/conf/
  8. #复制经过修改的关闭脚本,原生的有问题
  9. cp tomcat/bin/shutdown.sh apache-tomcat-6.0.35/bin/

四.安装tomcat-native

  1. cd apache-tomcat-6.0.35/bin
  2. tar zxvf tomcat-native-1.1.22-src.tar.gz
  3. cd tomcat-native-1.1.22-src/jni/native/
  4.  ./configure --with-apr=/usr/bin/apr-1-config --with-java-home=/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
  5. make
  6. make install

五.编辑变量
vi /etc/profile

  1. JAVA_HOME=/usr/jrrt
  2. export JAVA_HOME
  3. PATH=$PATH:$JAVA_HOME/bin
  4. #原始设置省略
  5.  
  6. APR_HOME=/usr/local/apr
  7. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$APR_HOME/lib
  8. export LD_LIBRARY_PATH

重新载入
source /etc/profile

六.迁移服务及应用
关闭tomcat
/opt/tomcat/bin/shutdown.sh

  1. cd /opt
  2. mv apache-tomcat-6.0.35/webapps/ apache-tomcat-6.0.35/webappsorg
  3. cp -ar tomcat/webapps apache-tomcat-6.0.35/
  4.  
  5. mv apache-tomcat-6.0.35/lib/ apache-tomcat-6.0.35/libbak
  6. cp -ar tomcat/lib/ apache-tomcat-6.0.35/
  7. mv apache-tomcat-6.0.35/libbak/* apache-tomcat-6.0.35/lib/

删除软链接

  1. rm /opt/tomcat
  2. ln -s /opt/apache-tomcat-6.0.35 /opt/tomcat

启动tomcat
/opt/tomcat/bin/startup.sh
检查日志及服务
tail -n100 /opt/tomcat/logs/catalina.out

参考:
tomcat安全设置
优化tomcat 内存
CentOs5.2安装tomcat
使用Oracle JRockit 提高tomcat性能

Posted in Tomcat, 安全通告.

Tagged with , .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Wordpress社交评论工具 says

    找了好久才找到~谢谢博主,超感动!吼吼~~



Some HTML is OK

or, reply to this post via trackback.