Skip to content

Apache Tomcat 6.0.35前有拒绝服务,信息泄露等漏洞

Apache Tomcat 6.0.35前有信息泄露相关的一个漏洞(CVE-2011-3375),
以及另一个在此前广受关注的哈希碰撞引发拒绝服务(DoS)漏洞(CVE-2012-0022),
Apache 建议用户对 Tomcat 进行升级从而规避此漏洞。

http://tomcat.apache.org/security-6.html

一.安装Oracle JRockit
使用Oracle JRockit 可以提高tomcat性能
当前版本Oracle JRockit 6 – R28.2.3
Includes JRockit Mission Control 4.1 and JRockit Real Time 4.1
http://download.oracle.com/otn/bea/jrockit/jrockit-jdk1.6.0_31-R28.2.3-4.1.0-linux-x64.bin

需登录后下载

chmod u+x jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin
./jrockit-jdk1\[1\].6.0_31-R28.2.3-4.1.0-linux-x64.bin

遇到以下错误可能是/tmp没有执行权限

sh: jre150_12/bin/java: Permission denied
** Error during execution, error code = 32256.

按照提示一步步安装到
/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
做个软链接

ln -s /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0 /usr/jrrt

二.安装apr
yum install apr apr-util apr-devel

tomcat需要tomcat-native,而tomcat-native需要apr和openssl
没有apr启动tomcat可能会有以下错误

2012-4-20 13:28:37 org.apache.catalina.core.AprLifecycleListener init
信息: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64/jrockit:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/amd64:/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/../lib/amd64

三.tomcat 安装
tomcat安装在/opt/下

cd /root/src/
wget http://labs.renren.com/apache-mirror/tomcat/tomcat-6/v6.0.35/bin/apache-tomcat-6.0.35.tar.gz
tar zxvf apache-tomcat-6.0.35.tar.gz
mv apache-tomcat-6.0.35 /opt/
cd /opt
#复制配制文件
cp -ar tomcat/conf/*.xml apache-tomcat-6.0.35/conf/
#复制经过修改的关闭脚本,原生的有问题
cp tomcat/bin/shutdown.sh apache-tomcat-6.0.35/bin/

四.安装tomcat-native

cd apache-tomcat-6.0.35/bin
tar zxvf tomcat-native-1.1.22-src.tar.gz
cd tomcat-native-1.1.22-src/jni/native/
./configure –with-apr=/usr/bin/apr-1-config –with-java-home=/usr/jrockit-jdk1.6.0_31-R28.2.3-4.1.0
make
make install

五.编辑变量
vi /etc/profile

JAVA_HOME=/usr/jrrt
export JAVA_HOME
PATH=$PATH:$JAVA_HOME/bin
#原始设置省略

APR_HOME=/usr/local/apr
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$APR_HOME/lib
export LD_LIBRARY_PATH

重新载入
source /etc/profile

六.迁移服务及应用
关闭tomcat
/opt/tomcat/bin/shutdown.sh

cd /opt
mv apache-tomcat-6.0.35/webapps/ apache-tomcat-6.0.35/webappsorg
cp -ar tomcat/webapps apache-tomcat-6.0.35/

mv apache-tomcat-6.0.35/lib/ apache-tomcat-6.0.35/libbak
cp -ar tomcat/lib/ apache-tomcat-6.0.35/
mv apache-tomcat-6.0.35/libbak/* apache-tomcat-6.0.35/lib/

删除软链接

rm /opt/tomcat
ln -s /opt/apache-tomcat-6.0.35 /opt/tomcat

启动tomcat
/opt/tomcat/bin/startup.sh
检查日志及服务
tail -n100 /opt/tomcat/logs/catalina.out

参考:
tomcat安全设置
优化tomcat 内存
CentOs5.2安装tomcat
使用Oracle JRockit 提高tomcat性能

Posted in Tomcat, 安全通告.

Tagged with , .

By C1G 2012/04/20

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Wordpress社交评论工具 says

    找了好久才找到~谢谢博主,超感动!吼吼~~

    2012/04/26, 11:38



Some HTML is OK

or, reply to this post via trackback.

« »