1

I'm using an embedded tomcat server in one of my java project. the creation of server looks like

Tomcat _tomcat = new Tomcat();

i have configured the Tomcat server to use port numbers from 9001 everything was working fine.

Problem statement

To address the Apache coyote vulnerability which was addressed in a nessus scan i have modified the tomcat server creation to

Tomcat _tomcat = new Tomcat();
_tomcat.getConnector().setXpoweredBy(false);
_tomcat.getConnector().setProperty("server", "");

after doing this change tomcat server is binding to port number 8080, which i have not configured anywhere, this is causing issue when i try to run two instances at once. gives the below error. Tomcat server unable to bind error

Question

How to avoid tomcat server from using port 8080 with apache coyote vulnerability fixes?

Sachin Naik
  • 19
  • 4
  • What talking about a vulnerability you should always name it (e.g. by CVE number). It would also be helpful if you could include the version of tomcat you were using before updating (because of the vulnerability) and now after. – Robert Aug 24 '22 at 12:00
  • I don't have a CVE number, this vulnerability was reported as part of Nessus scan. I'm using Tomcat 9.0.65 but upgrading the version will not solve this issue, we have to hide the server details to address the issue, which is what i'm doing in the second code snippet i shared, and that's causing the issue. – Sachin Naik Aug 25 '22 at 04:49
  • If the vulnerability was reported by nessus why don't you include that in your post? – Robert Aug 25 '22 at 07:21

1 Answers1

0

Here when you do _tomcat.getConnector() a connector instance is called which is not yet initialized, and it uses default values and listens at port 8080 which is default port for a tomcat Connector instance.

instead of performing setXpoweredBy(false) and setProperty("server", "") on defualt instance of connector, move this part to where you are creating tomcat Connector instance. something like

Connector connector = new Connector();
connector.setPort(port); 
connector.setXpoweredBy(false);
connector.setProperty("server", "");

and then set this connector to tomcat server

_tomcat.setConnector(connector);
Sachin Naik
  • 19
  • 4