[CVE-2011-2729] - Need help who has knowledge of httpd(mod_jk) and tomcat.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE-2011-2729] - Need help who has knowledge of httpd(mod_jk) and tomcat.

Soon Won Park
Hello,

I'd like to know what I should upgrade - tomcat or apache httpd?

CVE pointed out that some of the Tomcat versions on Linux  have vulnerability.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729

I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache
2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or
apache? It's little bit difficult to upgrade opentaps version itself.

It might not be so difficult to upgrade both, but I'd like to make
sure what's real problem before taking next step.

My doube is, if tomcat is being used through mod_jk, then, the tomcat
version itself might not be matter. And this mean I do not need to
upgrade tomcat, but rather need to upgrade apache httpd which would be
the interface of the server. According to CVE posting, it says I need
to upgrade to tomcat which include vulnerable version of jsvc. Thus I
need to upgrade to jsvc 1.0.7 or later(I guess it's being used in
tomcat & apache both). But I couldn't find what version of jsvc is
being used on apache httpd 2.2.3. So I'm not sure I need to upgrade
apache httpd itself as well or not.

Any help would be appreciated. Thank you for reading.

Thank you.
Soon-Won Park
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2011-2729] - Need help who has knowledge of httpd(mod_jk) and tomcat.

Anne Jessel
Apache only talks to mod_jk, not Tomcat, so the version of Apache you
need is whatever is compatible with your version of mod_jk.

I use Debian Linux, so what I would do first is use Google to work out
whether the version of Tomcat I want to use requires a specific
version of mod_jk. If so, I would use Debian's apt-get to ensure I had
at least that version of mod_jk, and apt-get would automatically
ensure I had a compatible version of Apache.

Of course, if you don't use a package manager such as apt-get, then
you'll have to read the release notes for the version you want to use.
However the documentation for these is usually pretty good at telling
you if there's some restriction with what version works with what.

I suspect that doesn't answer all of your question, but hopefully it
gives you a starting point, and maybe someone else can fill in the
gaps. i don't use Apache/mod_jk these days, having switched to nginx.

Cheers,
Anne.

On 11 October 2011 01:22, Soon Won Park <[hidden email]> wrote:

> Hello,
>
> I'd like to know what I should upgrade - tomcat or apache httpd?
>
> CVE pointed out that some of the Tomcat versions on Linux  have vulnerability.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729
>
> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache
> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or
> apache? It's little bit difficult to upgrade opentaps version itself.
>
> It might not be so difficult to upgrade both, but I'd like to make
> sure what's real problem before taking next step.
>
> My doube is, if tomcat is being used through mod_jk, then, the tomcat
> version itself might not be matter. And this mean I do not need to
> upgrade tomcat, but rather need to upgrade apache httpd which would be
> the interface of the server. According to CVE posting, it says I need
> to upgrade to tomcat which include vulnerable version of jsvc. Thus I
> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in
> tomcat & apache both). But I couldn't find what version of jsvc is
> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade
> apache httpd itself as well or not.
>
> Any help would be appreciated. Thank you for reading.
>
> Thank you.
> Soon-Won Park
>



--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Phone: (03) 9585 6788
Fax: (03) 9585 1086
Web: http://www.cohsoft.com.au/
Email: [hidden email]

Bonsai ERP, the all-inclusive ERP system
http://www.bonsaierp.com.au/
Reply | Threaded
Open this post in threaded view
|

Re: [CVE-2011-2729] - Need help who has knowledge of httpd(mod_jk) and tomcat.

Soon Won Park
Hello Anne,

Thank you for the valuable advice. Yea, I can start with upgrading
httpd. I'm taking a look now actually. But I hope I could get the
answer for the "gap" as well as you mentioned.

Thank you.
Soon-Won


On Mon, Oct 10, 2011 at 7:15 PM, Anne <[hidden email]> wrote:

> Apache only talks to mod_jk, not Tomcat, so the version of Apache you
> need is whatever is compatible with your version of mod_jk.
>
> I use Debian Linux, so what I would do first is use Google to work out
> whether the version of Tomcat I want to use requires a specific
> version of mod_jk. If so, I would use Debian's apt-get to ensure I had
> at least that version of mod_jk, and apt-get would automatically
> ensure I had a compatible version of Apache.
>
> Of course, if you don't use a package manager such as apt-get, then
> you'll have to read the release notes for the version you want to use.
> However the documentation for these is usually pretty good at telling
> you if there's some restriction with what version works with what.
>
> I suspect that doesn't answer all of your question, but hopefully it
> gives you a starting point, and maybe someone else can fill in the
> gaps. i don't use Apache/mod_jk these days, having switched to nginx.
>
> Cheers,
> Anne.
>
> On 11 October 2011 01:22, Soon Won Park <[hidden email]> wrote:
>> Hello,
>>
>> I'd like to know what I should upgrade - tomcat or apache httpd?
>>
>> CVE pointed out that some of the Tomcat versions on Linux  have vulnerability.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729
>>
>> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache
>> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or
>> apache? It's little bit difficult to upgrade opentaps version itself.
>>
>> It might not be so difficult to upgrade both, but I'd like to make
>> sure what's real problem before taking next step.
>>
>> My doube is, if tomcat is being used through mod_jk, then, the tomcat
>> version itself might not be matter. And this mean I do not need to
>> upgrade tomcat, but rather need to upgrade apache httpd which would be
>> the interface of the server. According to CVE posting, it says I need
>> to upgrade to tomcat which include vulnerable version of jsvc. Thus I
>> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in
>> tomcat & apache both). But I couldn't find what version of jsvc is
>> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade
>> apache httpd itself as well or not.
>>
>> Any help would be appreciated. Thank you for reading.
>>
>> Thank you.
>> Soon-Won Park
>>
>
>
>
> --
> Coherent Software Australia Pty Ltd
> PO Box 2773
> Cheltenham Vic 3192
> Phone: (03) 9585 6788
> Fax: (03) 9585 1086
> Web: http://www.cohsoft.com.au/
> Email: [hidden email]
>
> Bonsai ERP, the all-inclusive ERP system
> http://www.bonsaierp.com.au/
>