Skip to content

Apache Tomcat 6.0.35前有拒绝服务,信息泄露等漏洞

Apache Tomcat 6.0.35前有信息泄露相关的一个漏洞(CVE-2011-3375), 以及另一个在此前广受关注的哈希碰撞引发拒绝服务(DoS)漏洞(CVE-2012-0022), Apache 建议用户对 Tomcat 进行升级从而规避此漏洞。

http://tomcat.apache.org/security-6.html

一.安装Oracle JRockit 使用Oracle JRockit 可以提高tomcat性能 当前版本Oracle JRockit 6 – R28.2.3 Includes JRockit Mission Control 4.1 and JRockit Real Time 4.1 http://download.oracle.com/otn/bea/jrockit/jrockit-jdk1.6.0_31-R28.2.3-4.1.0-linux-x64.bin

需登录后下载

chmod u+x jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin ./jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin

遇到以下错误可能是/tmp没有执行权限

sh: jre150_12/bin/java: Permission denied ** Error during execution, error code = 32256.

按照提示一步步安装到 /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 做个软链接

ln -s /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 /usr/jrrt

二.安装apr yum install apr apr-util apr-devel

tomcat需要tomcat-native,而tomcat-native需要apr和openssl 没有apr启动tomcat可能会有以下错误

2012-4-20 13:28:37 org.apache.catalina.core.AprLifecycleListener init 信息: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64/jrockit:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/../lib/amd64

三.tomcat 安装 tomcat安装在/opt/下

cd /root/src/ wget http://labs.renren.com/apache-mirror/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz tar zxvf apache-tomcat-6.0.35.tar.gz mv apache-tomcat-6.0.35 /opt/ cd /opt #复制配制文件 cp -ar tomcat/conf/*.xml apache-tomcat-6.0.35/conf/ #复制经过修改的关闭脚本,原生的有问题 cp tomcat/bin/shutdown.sh apache-tomcat-6.0.35/bin/

四.安装tomcat-native

cd apache-tomcat-6.0.35/bin tar zxvf tomcat-native-1.1.22-src.tar.gz cd tomcat-native-1.1.22-src/jni/native/ ./configure –with-apr=/usr/bin/apr-1-config –with-java-home=/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 make make install

五.编辑变量 vi /etc/profile

JAVA_HOME=/usr/jrrt export JAVA_HOME PATH=$PATH:$JAVA_HOME/bin #原始设置省略 APR_HOME=/usr/local/apr LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$APR_HOME/lib export LD_LIBRARY_PATH

重新载入 source /etc/profile

六.迁移服务及应用 关闭tomcat /opt/tomcat/bin/shutdown.sh

cd /opt mv apache-tomcat-6.0.35/webapps/ apache-tomcat-6.0.35/webappsorg cp -ar tomcat/webapps apache-tomcat-6.0.35/ mv apache-tomcat-6.0.35/lib/ apache-tomcat-6.0.35/libbak cp -ar tomcat/lib/ apache-tomcat-6.0.35/ mv apache-tomcat-6.0.35/libbak/* apache-tomcat-6.0.35/lib/

删除软链接

rm /opt/tomcat ln -s /opt/apache-tomcat-6.0.35 /opt/tomcat

启动tomcat /opt/tomcat/bin/startup.sh 检查日志及服务 tail -n100 /opt/tomcat/logs/catalina.out

参考: tomcat安全设置 优化tomcat 内存 CentOs5.2安装tomcat 使用Oracle JRockit 提高tomcat性能

Posted in Tomcat, 安全通告.

Tagged with , .

rev="post-1434" 1 comment

By C1G 2012/04/20

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Wordpress社交评论工具 says

    找了好久才找到~谢谢博主,超感动!吼吼~~

    2012/04/26, 11:38



Some HTML is OK

or, reply to this post via trackback.

« »