I'm curious, are you actually running Tomcat with read-only set to FALSE? You would only do that under very very VERY specific circumstances. And you would only allow authenticated access to your server, and already trust those users not to attack you, right?
No, we made no changes to the default servlet, so now see we are not impacted by the CVE and do not need to make the sun.io.useCanonCaches enviroment variable change. -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, December 27, 2024 12:00 PM To: users@tomcat.apache.org Subject: Re: Setting sun.io.useCanonCaches to flase On 12/27/24 9:49 AM, Carl Wick wrote: > Running Tomcat as a service, don't have a Java tab. Created the > following System Environment Variable: Are you on Windows? Are you using the Tomcat service (procrun)? If so, then you have a Java tab somewhere. > Variable name: Sun.io.useCanonCaches > Variable value: false Is this a Windows environment variable? If so, it will have no effect. It is also spelled incorrectly (cASe matTERs). If you end up setting a system preference, please spell it properly if you want it to take effect. I'm curious, are you actually running Tomcat with read-only set to FALSE? You would only do that under very very VERY specific circumstances. And you would only allow authenticated access to your server, and already trust those users not to attack you, right? -chris > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Friday, December 20, 2024 12:12 PM > To: users@tomcat.apache.org > Subject: Re: Setting sun.io.useCanonCaches to flase > > add the following to setenv.bat > > set CATALINA_OPTS=%CATALINA_OPTS% -Dsun.io.useCanonCaches=false > > If running as a service then system properties are set on the Java tab. > You'd add: > > -Dsun.io.useCanonCaches=false > > Note: You only need to worry about this or CVE-2034-50379 if you have set > readonly="false" on the default servlet. > > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
