Carl,
On 12/30/24 8:15 AM, Carl Wick wrote:
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, December 27, 2024 12:00 PM
To: users@tomcat.apache.org
Subject: Re: Setting sun.io.useCanonCaches to flase
On 12/27/24 9:49 AM, Carl Wick wrote:
Running Tomcat as a service, don't have a Java tab. Created the
following System Environment Variable:
Are you on Windows? Are you using the Tomcat service (procrun)? If so, then you
have a Java tab somewhere.
Yes, this is Windows Server. Tomcat is running as service, there is
no procrun, the executable that is running is tomcat9.exe.
Tomcat9.exe *is* procrun.
Tomcat9w.exe is procrun's configuration companion. If you run it, it
will show a number of tabs including the "Java" one to configure the JVM
settings.
Variable name: Sun.io.useCanonCaches
Variable value: false
Is this a Windows environment variable? If so, it will have no effect.
It is also spelled incorrectly (cASe matTERs). If you end up setting a system
preference, please spell it properly if you want it to take effect.
Taken directly from CVE:
running on Java 8 or Java 11: the system property
> sun.io.useCanonCaches must be explicitly set to false (it defaults
to true)
I see that, but your "Variable name" starts with a capital "S" and not a
lowercase "s" as in the CVE.
I'm curious, are you actually running Tomcat with read-only set to
FALSE? You would only do that under very very VERY specific
circumstances. And you would only allow authenticated access to
your server, and already trust those users not to attack you,
right?>
No, we made no changes to the default servlet, so now see we are not
impacted by the CVE and do not need to make the
sun.io.useCanonCaches environment variable change.
That's good news.
Might I ask why you have subclassed the DefaultServlet? If it's a useful
enough use case, perhaps it can be incorporated into Tomcat itself? Or
maybe there is a better way to accomplish your goal?
-chris
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Friday, December 20, 2024 12:12 PM
To: users@tomcat.apache.org
Subject: Re: Setting sun.io.useCanonCaches to flase
add the following to setenv.bat
set CATALINA_OPTS=%CATALINA_OPTS% -Dsun.io.useCanonCaches=false
If running as a service then system properties are set on the Java tab.
You'd add:
-Dsun.io.useCanonCaches=false
Note: You only need to worry about this or CVE-2034-50379 if you have set
readonly="false" on the default servlet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
