Thank you! _________________________ Michael Ferrick MBA AVP – Application Reliability Operations | Market Data & Trader Support | GM | GA | GT | Corp (He, Him, He’s) 1 Iron Street Boston, Massachusetts, 02210 USA +1 (617) 664-5842 mds_infrastruct...@ssga.com statestreet.com / State Street on LinkedIn
The information contained in this email and any attachments have been classified as limited access and/or privileged State Street information/communication and is intended solely for the use of the named addressee(s). If you are not an intended recipient or a person responsible for delivery to an intended recipient, please notify the author and destroy this email. Any unauthorized copying, disclosure, retention or distribution of the material in this email is strictly forbidden. Go green. Consider the environment before printing this email. Information Classification: General -----Original Message----- From: Chuck Caldarale <n82...@gmail.com> Sent: Wednesday, September 11, 2024 9:48 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Trying to Resolve a Java Version Vulnerability I'm Using for Tomcat [You don't often get email from n82...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > On Sep 11, 2024, at 08:13, Ferrick, Michael <michael_ferr...@ssga.com.INVALID> wrote: > > The powers above have notified me that the Java version 9.0.1.0 (x64) that I am using with Apache Tomcat 9.0.84 has a vulnerability on my Windows servers (OS 2019) and MUST be remediated. That means use another Java version! > > I removed Java 9.0.1 (64-bit) and Java (tm) SE Development Kit 9.0 (64-bit) from the Control Panel (It notified me that it would stop Tomcat) and I installed jdk-8u421-windows-x64.exe in the default location of C:Program Files\Java, which was the same location as the original 9.0.1.0 version. > > Apache Software is located on E:\Program Files\Apache Software Foundation\Tomcat 9.0. > > I opened Services and attempted to Start Apache Tomcat and I got an error message. The only thing the message meant to me is that Tomcat failed to start. I'm not an SME (Subject Matter Expert) on JAVA or Tomcat however if the content is important to resolve let me know. > > I removed Java 8u421 from the Control Panel (Both the Jav SE Dev tool Kit and Java 8.421 (64-bit)). > > I re-installed jdk-9.0.1_windows-64_bin.exe and checked Control Panel to confirm both Java and the toolkit was also installed. > > I re-opened Services and was able to restart Apache Tomcat. > > I then downloaded Java 8u422-b05-windows-x64 and using the same procedures as above uninstalled Java 9.0.1 and installed java 8.422 and it failed to start Apache Tomcat, so I once again had to revert to the "vulnerable" Java 9.0.1. > > Can anyone tell me what non-vulnerable version of Java will work with Tomcat 9.0.84 or what I am missing to make the 8.xx versions I have work? I can't simply upgrade Apache Tomcat as there are just too many developers entrenched in this version. Going back to Java 8 sounds like a really bad idea at this stage, but if you must, then try clearing out Tomcat’s temp and work directories first. There may be class files in there compiled with Java 9 that will not be usable on prior versions of the JVM. As others have stated, moving to a more recent supported JVM would be better, such as OpenJDK 21, which is an LTS version. - Chuck --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
