Skip to main content
All Posts By

Jonathan Gallimore

Jonathan Gallimore is a passionate Apache TomEE committer, developer and trainer at Tomitribe. He started contributing to Apache TomEE in 2007, working on EJB 3.1 compliance, OpenEJB Eclipse Plug-in, early Tomcat 7 integration (that became the basis for TomEE) and the first version of the TomEE Arquillian adapter. Jon has worked as a developer and architect on Java EE projects across the media, banking, and sports industries.

Jan 08
Love0

Protect Your Tomcat & TomEE: Insights into CVE-2024-50379 & CVE-2024-56337 Vulnerabilities

By CVEs, Security, Tomcat, TomEE No Comments
Overview of CVE-2024-50379 and CVE-2024-56337 in Tomcat and TomEE You may have noticed a couple of new CVEs in Tomcat recently - CVE-2024-50379 and CVE-2024-56337. This vulnerability is rated as “important”, and could lead to remote code execution (RCE), if exploited. As TomEE is built using Tomcat, this will also be an issue for TomEE users. Let’s take a closer look so you can understand the impact and check whether your Tomcat/TomEE configuration may be affected. Detailed Analysis of the Vulnerability and Its Impact From the CVE description:  “If the default servlet is write enabled (readonly initialisation parameter set to…
Read More
Nov 07
Love0

Act Now: Protecting Your ActiveMQ Broker from CVE-2023-46604

By ActiveMQ, CVEs, Security No Comments
Dive into CVE-2023-46604 You may be aware that a new critical vulnerability has been discovered in ActiveMQ. This was publicly disclosed on Friday 27th October. The details of the CVE are as follows (https://activemq.apache.org/security-advisories.data/CVE-2023-46604) Apache ActiveMQ is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. ActiveMQ, by default, exposes a connector using the OpenWire protocol, and this is commonly used by clients to connect to…
Read More
Apr 27
Love0

Demystifying Default Resources in Apache TomEE

By Apache TomEE One Comment
The Problem One of the design philosophies of Apache TomEE is to adapt the server to fit the user, rather than the other way around.  It can be incredibly frustrating to develop your application and then have the application server reject the deployment because a resource or another setting isn't configured quite right. Apache TomEE will attempt to automatically create resources and containers with a reasonable set of defaults so you can concentrate on developing your application, rather than fighting with the server. In this article, I'll set out how these defaults are applied, and how you can customize them.…
Read More
Aug 11
Love0

ActiveMQ Time Stamp Plugin

By ActiveMQ No Comments
Introduction This article is a quick tip for ActiveMQ users, and introduces the Time Stamp Plugin. Common support queries we get with ActiveMQ are the broker running out of space, or Producer Flow Control kicking in. Often, the cause is simple: messages have been sent to the broker, and haven’t been consumed. This will be exacerbated if you have multiple destinations, and particularly if you use KahaDB for persistence (which is the default). See my post here to get a 10000 ft view on how KahaDB works under the covers, and how it can use a large amount of disk…
Read More
Dec 13
Love0

CVE-2021-44228 – Log4Shell Vulnerability

By CVEs, Tomcat, TomEE No Comments
Introduction If you’ve been following tech news over the last couple of days, you’ll very likely have heard about CVE-2021-44228, or “Log4Shell” as it has become known. This particular vulnerability affects Apache Log4J2, a Java logging framework. Tomcat, TomEE, and ActiveMQ themselves do not ship with log4j2, so running out-of-the-box with their default configuration they are not vulnerable to this issue. However, before you breathe a sigh of relief, you should be aware that applications deployed on either TomEE or Tomcat can include additional Java libraries bundled inside. Any jar file included in a web application’s WEB-INF/lib directory will be…
Read More
Nov 18
Love5

How to use Tibco EMS in TomEE?

By TomEE No Comments
Tomitribe is part of the expert group for the upcoming JMS 3.0 and provides ActiveMQ and Apache TomEE enterprise support for many organizations. This article demonstrates configuring Tibco EMS in TomEE. For generic guidelines on deploying alternative JMS providers, please see the official TomEE documentation for Changing JMS Implementations JMS providers are generally packaged as Java Connector Architecture (JCA) Resource Adapter Archive (RAR) files, and both outbound (for sending messages to the broker) and inbound (for receiving messages via Message Driven Beans (MDBs) connectors are provided. JCA RAR files are designed to be portable, and any portable RAR file should…
Read More
Jan 14
Love4

JAX-RS Server Side Events

By Apache TomEE One Comment
Quick Introduction One of the new features in JAX-RS 2.1 is Server Side Events. This allows the server to “push” events over to clients that have connected to the server via HTTP(S). Typically HTTP requests involve a single request, a single response, and then you’re done – for example: $ curl -v http://localhost:8080/ping * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8080 (#0) > GET /ping HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 < Date: Mon, 14 Dec 2020 17:04:36 GMT < Content-Type: application/octet-stream < Content-Length: 12 < Server:…
Read More
Oct 06
Love1

KahaDB logs increasing when messages are purged

By ActiveMQ One Comment
One of the common issues we run into with ActiveMQ, is the issue of kahadb log files not being cleared up, leading to the system potentially running out of disk space.  There are a few reasons why these log files are not cleaned up: It contains a pending message for a destination or durable topic subscription It contains an ACK for a message which is in an in-use data file - the ACK cannot be removed as a recovery would then mark the message for redelivery The journal references a pending transaction It is a journal file, and there may…
Read More
Jun 25
Love3

Tomcat RCE Vulnerability via JSP Upload Bypass

By Apache TomEE, Open Source, Tomcat, TomEE No Comments

Tomitribe’s Jonathan Gallimore (@jongallimore) explains how easy it is to exploit a simple configuration vulnerability in Apache Tomcat and take over your entire server. He also explains how easy it is to prevent this from happening with a simple configuration change. This is an older exploit but one that may not be patched on your own installation. Watch the video to ensure you are protected! Tomitribe’s Enterprise Support service works with Sonatype to monitor all reported vulnerabilities to Tomcat, TomEE, and ActiveMQ to help protect our customers from malicious hackers. Learn more about how we help protect our customers here.

Read More