Apache Tomcat Latest

Posted onby admin
  1. Tomcat 8.5.63 Download
  2. Apache Tomcat Latest Version For Linux
  3. Apache Tomcat Latest Release
  4. Apache Tomcat Latest Version
  5. Apache Tomcat Latest Download

The information below was sent to U-M IT groups on March 3, 2020. It is intended for U-M IT staff who are responsible for university servers with Apache Tomcat installed. This includes servers running Red Hat Linux and other Linux distributions that include Apache Tomcat.

Summary

Learn to use Apache Tomcat as a JSP container, HTTP Web Server, etc., and understand configuration for security and scalability with examples. Latest version available is Apache Tomcat 8.5.X. Apache Tomcat Tutorial – Index Introduction to Apache Tomcat. This article will show you how to install Apache Tomcat Server and set up the Web Application Manager on Ubuntu 20.04 in 11 easy steps. Apache Tomcat Server can be installed right from Ubuntu’s software repository, which contains the latest, most stable version of the Tomcat server. Step 1: Update APT. First, as always, update your APT. JAVA x8664 Third-Party tomcat-9.0.36-lp152.252.1.noarch.rpm: Apache Servlet/JSP/EL Engine, RI for Servlet 4.0/JSP 2.3/EL 3.0 API: openSUSE Oss aarch64 Official tomcat-9.0.35-lp152.1.1.noarch.rpm. For the latest Tomcat 5.5 release, you should select JVM version 1.5.0 or later. Completing the Apache Tomcat Setup Wizard This is the final step of the installation. Select the Run Apache Tomcat checkbox. This starts the system service immediately after installation. Note that on some versions of Windows with a firewall, you might.

A vulnerability has been discovered in Apache Tomcat that could allow for reading and writing to files in the webapp directories of Tomcat. Apache Tomcat is an open-source web server that supports running Java code. Depending on the privileges associated with the application, an attacker exploiting the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Update to the latest version of Apache Tomcat as soon as possible after appropriate testing.

Problem

There is a vulnerability affecting all versions of Apache Tomcat that can be exploited to read or write files to a Tomcat server. Proof-of-concept code has been released to GitHub by multiple security researchers. Mass scanning activity targeting the vulnerability was detected over the weekend of February 29–March 1.

Tomcat 8.5.63 Download

Affected Versions

  • Apache Tomcat 9.x versions less than 9.0.31
  • Apache Tomcat 8.x versions less than 8.5.51
  • Apache Tomcat 7.x versions less than 7.0.100
  • Apache Tomcat 6.x versions (End of life, not patched)
  • Red Hat JBoss Web Server (JWS) versions 3.1.7 and 5.2.0
  • Red Hat JBoss Enterprise Application Platform (EAP) versions 6.x and 7.x
  • Red Hat Enterprise Linux (RHEL) versions 5.x ELS, 6.x, 7.x, and 8.x (as pki-servlet-container, pki-servlet-engine in pki-deps module)
  • Any apps that include Tomcat server

Action Items

Update as soon as possible after appropriate testing. The need for immediate action requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21). This is particularly important for any systems that allow access from untrusted networks, such as those exposed to access from the internet.

  • Update to the latest version of Apache Tomcat. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
  • Red Hat recommends disabling the Apache JServ Protocol (AJP) connector in Tomcat if not used, or binding it to localhost port, since most of AJP's use is in cluster environments, and the 8009 port should never be exposed on the internet without strict access-control lists. The AJP connector is enabled by default on all Tomcat servers.
  • If the Apache JServ Protocol (AJP) service is not required, disable it on the host.
  • If the AJP service does not need to be publicly accessible, ensure that access is filtered.
  • If your Linux distribution or apps include Tomcat, watch for updates from your vendor and apply them.

Threats

By exploiting the Ghostcat vulnerability, an attacker could read the contents of configuration files and source code files of all webapps deployed on Tomcat. In addition, if the website application allows users to upload files, an attacker could upload a file containing malicious code to the server and execute code remotely. Proof-of-concept code for testing or launching Ghostcat attacks proliferated on GitHub after public disclosure of the vulnerability in late February. Mass scanning activity targeting the vulnerability was detected over the weekend of February 29–March 1.

Technical Details

  • A vulnerability has been discovered in Apache Tomcat, which could allow for reading of arbitrary files on the affected system. The vulnerability exists in the Apache JServ Protocol (AJP), which is by default exposed over TCP port 8009 and enabled. The vulnerability can be exploited by an attacker who can communicate with the affected AJP protocol service. If the server is running a web application that allows for file uploads, a remote file inclusion vulnerability that could allow for remote code execution becomes exploitable. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
  • Due to the inclusion of Apache Tomcat in Red Hat products, multiple vulnerabilities have been announced in Red Hat products, the most severe of which could allow for reading of arbitrary files on the affected system. CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. CVE-2020-1745 is a vulnerability very similar to CVE-2020-1938 but occurs in Apache Undertow. These vulnerabilities exist in the AJP protocol which is, by default, exposed over TCP port 8009 and enabled. An attacker with the ability to interact with the AJP protocol could exploit these vulnerabilities using specially crafted packets and/or files. Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files on the affected server or, in the case where file upload functionality is enabled, possibly execute code.

Detection

Chinese cybersecurity company Chaitin, which discovered the vulnerability, has made tools available to determine if a server is affected by Ghostcat. See Ghostcat (Chaitin).

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Apache Tomcat Latest Version For Linux

Information for Users

The Ghostcat vulnerability affects servers, so general users will not encounter it.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email,Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

References

  • Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now (Bleeping Computer, 3/2/20)
  • Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years (ZDNet, 2/28/20)
  • GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat (The Hacker News, 2/28/20)
  • Apache Tomcat Affected by Serious 'Ghostcat' Vulnerability (Security Week, 2/28/20)
  • Ghostcat (Chaitin)

Apache Ant™

Apache Ant is a Java library and command-line tool whose mission is to drive processes described in build files as targets and extension points dependent upon each other. The main known usage of Ant is the build of Java applications. Ant supplies a number of built-in tasks allowing to compile, assemble, test and run Java applications. Ant can also be used effectively to build non Java applications, for instance C or C++ applications. More generally, Ant can be used to pilot any type of process which can be described in terms of targets and tasks.

Apache tomcat latest version for linux

Ant is written in Java. Users of Ant can develop their own 'antlibs' containing Ant tasks and types, and are offered a large number of ready-made commercial or open-source 'antlibs'.

Ant is extremely flexible and does not impose coding conventions or directory layouts to the Java projects which adopt it as a build tool.

Software development projects looking for a solution combining build tool and dependency management can use Ant in combination with Apache Ivy.

The Apache Ant project is part of the Apache Software Foundation.

Apache Ant 1.10.10

April 17, 2021 - Apache Ant 1.10.10 Released

Apache Ant 1.10.10 are now available for download as source or binary from https://ant.apache.org/bindownload.cgi.

The Apache Ant team currently maintains two lines of development. The 1.9.x releases require Java5 at runtime and 1.10.x requires Java8 at runtime. Both lines are based off of Ant 1.9.7 and the 1.9.x releases are mostly bug fix releases while additional new features are developed for 1.10.x. We recommend using 1.10.x unless you are required to use versions of Java prior to Java8 during the build process.

Ant 1.10.10 contains numerous bugfixes and some enhancements.

It also introduces new discardOutput and discardError attributes to tasks like java, exec to completely discard the output and error generated by the processes launched by those tasks.

Apache AntUnit 1.4

Jun 26, 2018 - Apache AntUnit 1.4 Released

Apache AntUnit 1.4 is now available for download as binary or source release.

This release fixes a few race-conditions in LogCapturer and the br-template inside the XSLT stylesheet used for creating the reports.

EasyAnt retired

Dec 13, 2016 - EasyAnt retired

The Ant PMC voted to archive the EasyAnt subproject and all its modules. This means that all its resources are removed or made read only and no further development will be done.
It also means that, if a community grows, the subproject could reactivated.

Apache Ivy 2.4.0

December 26, 2014 - Apache Ivy 2.4.0 Released

Apache Ivy 2.4.0 is now available for download as source or binary (with and without dependencies) from https://ant.apache.org/ivy/download.cgi.

Key features of the 2.4.0 release are

  • some new Ant tasks
  • improved OSGI support
  • a Bintray resolver
  • numerous bug fixes as documented in Jira and in the release notes

For more information see the Ivy home page.

Apache IvyDE 2.2.0

November 22, 2013 - Apache IvyDE 2.2.0 Released

The Apache IvyDE project is pleased to announce its 2.2.0 release.

The Apache IvyDE Eclipse plugin integrates Apache Ivy's dependency management into Eclipse. It lets you manage your dependencies declared in an ivy.xml in your Java Eclipse projects, or any other kind of project which needs dependency management. Apache IvyDE will contribute to the classpath of your Java project or you can make it retrieve your dependencies directly into your project. Last but not least Apache IvyDE offer editors of ivy.xml and ivysettings.xml files with completion. Get some preview here: https://ant.apache.org/ivy/ivyde/screenshots.html

Major changes in this release

  • The API of IvyDE has been stabilized so that third party plugins can rely on it,
  • while still not complete, and still not advertised as stable in Ivy, support of OSGi has been added,
  • javadoc and source attachement can be edited now one by one,
  • improved stability of the resolve process,
  • improved logging for easier debugging.

Compatibility

  • This release is expected to work with every version of Ivy 2.1 or superior. The OSGi features require Ivy 2.3.0 or superior though.

This release is considered as stable. The beta of 2.2.0 has been out for a (too) long time.

Apache Tomcat Latest Release

A more detailed release notes can be read there: https://ant.apache.org/ivy/ivyde/history/latest-milestone/release-notes.html
Download the 2.2.0 release at: https://ant.apache.org/ivy/ivyde/download.cgi
Or use directly the Apache IvyDE's updatesite: https://downloads.apache.org/ant/ivyde/updatesite
Issues should be reported to: https://issues.apache.org/jira/browse/IVYDE
More information can be found on the Apache IvyDE website: https://ant.apache.org/ivy/ivyde/

Apache Tomcat Latest Version

Documentation

You can view the documentation for the current release online

Apache Tomcat Latest Download

Comprehensive documentation is included in the source and binary distributions.

Get Involved