Tomitribe’s Jonathan Gallimore (@jongallimore) explains how easy it is to exploit a simple configuration vulnerability in Apache Tomcat and take over your entire server. He also explains how easy it is to prevent this from happening with a simple configuration change. This is an older exploit but one that may not be patched on your own installation. Watch the video to ensure you are protected! Tomitribe’s Enterprise Support service works with Sonatype to monitor all reported vulnerabilities to Tomcat, TomEE, and ActiveMQ to help protect our customers from malicious hackers. Learn more about how we help protect our customers here.
You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604): Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to the broker. Unlike HTTP…
Read More
The Problem One of the design philosophies of Apache TomEE is to adapt the server to fit the user, rather than the other way around. It can be incredibly frustrating to develop your application and then have the application server reject the deployment because a resource or another setting isn't configured quite right. Apache TomEE will attempt to automatically create resources and containers with a reasonable set of defaults so you can concentrate on developing your application, rather than fighting with the server. In this article, I'll set out how these defaults are applied, and how you can customize them.…
Read More
Introduction This article is a quick tip for ActiveMQ users, and introduces the Time Stamp Plugin. Common support queries we get with ActiveMQ are the broker running out of space, or Producer Flow Control kicking in. Often, the cause is simple: messages have been sent to the broker, and haven’t been consumed. This will be exacerbated if you have multiple destinations, and particularly if you use KahaDB for persistence (which is the default). See my post here to get a 10000 ft view on how KahaDB works under the covers, and how it can use a large amount of disk…
Read More
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
Read More
Tomitribe is part of the expert group for the upcoming JMS 3.0 and provides ActiveMQ and Apache TomEE enterprise support for many organizations. This article demonstrates configuring Tibco EMS in TomEE. For generic guidelines on deploying alternative JMS providers, please see the official TomEE documentation for Changing JMS Implementations JMS providers are generally packaged as Java Connector Architecture (JCA) Resource Adapter Archive (RAR) files, and both outbound (for sending messages to the broker) and inbound (for receiving messages via Message Driven Beans (MDBs) connectors are provided. JCA RAR files are designed to be portable, and any portable RAR file should…
Read More
Quick Introduction One of the new features in JAX-RS 2.1 is Server Side Events. This allows the server to “push” events over to clients that have connected to the server via HTTP(S). Typically HTTP requests involve a single request, a single response, and then you’re done – for example: $ curl -v http://localhost:8080/ping * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /ping HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 < Date: Mon, 14 Dec 2020 17:04:36 GMT < Content-Type: application/octet-stream < Content-Length: 12 < Server:…
Read More
One of the common issues we run into with ActiveMQ, is the issue of kahadb log files not being cleared up, leading to the system potentially running out of disk space. There are a few reasons why these log files are not cleaned up: It contains a pending message for a destination or durable topic subscription It contains an ACK for a message which is in an in-use data file - the ACK cannot be removed as a recovery would then mark the message for redelivery The journal references a pending transaction It is a journal file, and there may…
Read More
Tomitribe’s David Blevins and Jonathan Gallimore join Sonatype to discuss and explain the top 5 Tomcat security vulnerabilities.
Read More
Read More
Many applications running on TomEE interact with other services, such as databases or 3rd party REST APIs. As an administrator, we need to be able to tell the application how to connect to these systems. TomEE provides a couple of different strategies for configuration and in this article, we’ll explore the different packaging and deployments. Separating configuration from your application This is probably the most common way of working with TomEE. Any resources that are used in the application are defined in the application server and mapped to a unique name in a JNDI directory. To improve the portability of…
Read More