Mitigating slow HTTP headers vulnerability

(My apologies if this has been discussed already.) Slow HTTP headers vulnerability was reported by scanner tool, on Tomcat 8.5.54. There might be not any perfect solution to address this issue, but wanted to understand some of the best practices to mitigate this vulnerability. https://stackover

Regarding context.xml changes impact other web service not deployed

Hi Team, In our product to address security vulnerability in context.xml, we have introduced following entry After introducing the above line, I noticed few rest service which is not deployed in that Tomcat also getting impact. Deployment Details Deployed :RHEL Tomcat Installatio

RE: [EXTERNAL] Re: Ensuring clean Tomcat shutdown

Thank you Luis for the inputs. Yes, we do use the listeners and "contextDestroyed" and clean up the resources. But with many team members working, wanted to have some automated check to ensure cleaning up wasn't missed. Thanks, Amit -Original Message- From: Luis Rodríguez Fernández

File access error on Windows Server 2019 after upgrading to Tomcat 8.5.45

I've been tasked with upgrading Tomcat from 8.5.41, but have run into a problem that begins with release 8.5.45. Hopefully someone here can help. I have a servlet that tries to update a file that was previously written by a separate servlet. Prior to 8.5.45, this works as expected and the file i

[ANN] Apache Tomcat 8.5.56 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.56. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers t

[ANN] Apache Tomcat 9.0.36 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.36. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.36 is a bugfix and feat

[ANN] Apache Tomcat 10.0.0-M6 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.0-M6. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specificat

Re: Vulnerability flagged in Nessus Scan

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Fang, Your application's web.xml will only provide error messages for errors which occur when a request has been issued to your application (e.g. /myapp/doesnotexist -> 404 -> your 404 page). But if you request something outside your web application

using custom classes in Tomcat configuration files

Hi, all. I'm getting close to releasing a new version of my Guise Mummy static site generation software. I gave a presentation over Guise Mummy's use of embedded Tomcat to serve the generated site locally for testing before deployment. It uses a custom site root and web resource https://guis

Re: Ensuring clean Tomcat shutdown

Hello Amit, Well, your approach will work. Personally, I do not like very much to parse logs. We, for instance, in our tomcat instances we provide an application that queries the status of the deployed apps, see below. If you have control in the code of "AAA" application I would suggest you to i