Michael,
On 9/11/24 09:13, Ferrick, Michael wrote:
Hello,
The powers above have notified me that the Java version 9.0.1.0 (x64) that I am
using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS
2019) and MUST be remediated. That means use another Java version!
I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit)
from the Control Panel (It notified me that it would stop Tomcat) and I
installed jdk-8u421-windows-x64.exe in the default location of C:Program
Files\Java, which was the same location as the original 9.0.1.0 version.
Apache Software is located on E:\Program Files\Apache Software
Foundation\Tomcat 9.0.
I opened Services and attempted to Start Apache Tomcat and I got an error
message. The only thing the message meant to me is that Tomcat failed to start.
I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content
is important to resolve let me know.
I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and
Java 8.421 (64-bit)).
I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to
confirm both Java and the toolkit was also installed.
I re-opened Services and was able to restart Apache Tomcat.
I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above
uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so
I once again had to revert to the "vulnerable" Java 9.0.1.
Can anyone tell me what non-vulnerable version of Java will work with Tomcat
9.0.84 or what I am missing to make the 8.xx versions I have work? I can't
simply upgrade Apache Tomcat as there are just too many developers entrenched
in this version.
If you are using the Windows Service snap-in to start and stop Tomcat,
then you likely need to update the service definition with the new path
to Java. I don't think it auto-detects the Java version.
Run the tomcat9w.exe application and you should get a properties dialog
which allows you to inspect the Tomcat service. If you have multiple
Tomcat services, you may need to run "tomcat9w.exe //ES/servicename"
from the command-line to get the right one.
In that properties dialog, you should be able to locate the path to Java
and update it to match your newly-installed Java version.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
