VMware

vFabric tc Server 2.6 Release Notes

vFabric tc Server 2.6.8 | 08 JAN 2015
vFabric tc Server 2.6.7 | 03 JUN 2014
vFabric tc Server 2.6.6 SR1 | 18 FEB 2014
vFabric tc Server 2.6.5 | 26 APR 2012
vFabric tc Server 2.6.4 | 05 MAR 2012
vFabric tc Server 2.6.3 | 20 DEC 2011
vFabric tc Server 2.6.2 | 30 NOV 2011
vFabric tc Server 2.6.1 | 22 SEP 2011

Last Document Update: 12 FEB 2015

What's in the Release Notes

These release notes cover the following topics:

What's New in vFabric tc Server 2.6.8

Note: This version is the final maintenance release. To continue receiving maintenance updates, please upgrade to tc Server version 3.x (recommended) or tc Server version 2.9.x.

  • * New tc Runtime versions:
    • tomcat-6.0.43.A.RELEASE
    • tomcat-7.0.57.B.RELEASE
  • Updated Spring Insight to Version 1.9.2.SR6
    • Insight plugins for Spring now support Spring 4
    • Support for tc Runtime 8 and Apache Tomcat 8
    • Support for Java 8

What's New in vFabric tc Server 2.6.7

  • * New tc Runtime versions:
    • tomcat-7.0.53.B.RELEASE
    • tomcat-6.0.40.B.RELEASE
  • Apache Tomcat security vulnerabilities and bugs fixed in tc Runtime 7.0.53.B.RELEASE.
    Issue Number Description
    CVE-2014-0075

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack.
    CVE-2014-0096

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.
    CVE-2014-0099

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header.
    CVE-2014-0119

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Low

    In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
    Apache Software Foundation Bugzilla Issue#56334 / 55735 Enhanced JSP compiling to handle the different escaping required inside and outside EL expressions.
  • Apache Tomcat security vulnerabilities and bugs fixed in tc Runtime 6.0.40.B.RELEASE.
    Issue Number Description
    CVE-2014-0075

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack.
    CVE-2014-0096

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.
    CVE-2014-0099

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header.
    CVE-2014-0119

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Low

    In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
    Apache Software Foundation Bugzilla Issue#56334 / 55735 Enhanced JSP compiling to handle the different escaping required inside and outside EL expressions.
    Apache Software Foundation Bugzilla Issue#56529 Added test to Validator.java to check if an element has a next node to avoid exception errors.

What's New in vFabric tc Server 2.6.6 SR1

The vFabric tc Server 2.6.6 SR1 release updates the version of the included * tc Runtime. See Supported Specifications, Related Products, and Platforms.

What's New in vFabric tc Server 2.6.5

The vFabric tc Server 2.6.5 release updates the version of the included * tc Runtime. See Supported Specifications, Related Products, and Platforms.

What's New in vFabric tc Server 2.6.4

The vFabric tc Server 2.6.4 release updates the version of the included * tc Runtime. See Supported Specifications, Related Products, and Platforms.

Also included in this release is a backport of ASF Bugzilla Bug 52444 from Tomcat 7.0.26.A to address issues with @HandlesTypes processing. This bug caused long startup times or excessive memory consumption for some Spring 3.1 applications.

What's New in vFabric tc Server 2.6.3

The vFabric tc Server 2.6.3 release updates the version of the included * tc Runtime. See Supported Specifications, Related Products, and Platforms.

What's New in vFabric tc Server 2.6.2

The vFabric tc Server 2.6.2 release includes a new Elastic Memory for Java plug-in for the vSphere Web Client. This plug-in adds the ability to monitor EM4J configuration and memory performance for EM4J-enabled Java workloads in the vSphere Web Client.

To learn more about using this feature, see Monitoring Memory with vSphere Web Client in Elastic Memory for Java.

The vFabric tc Server 2.6.2 release also updates the version of the included * tc Runtime and fixes some issues. See Supported Specifications, Related Products, and Platforms and Known and Fixed Issues.

What's New in tc Server 2.6.1

The vFabric tc Server 2.6.1 release updates the version of the included * tc Runtime and fixes a security vulnerability. See Supported Specifications, Related Products, and Platforms and Known and Fixed Issues.

What's New in vFabric tc Server 2.6.0

vFabric tc Server 2.6.0 includes the following new features:

Spring Insight Operations

Spring Insight Operations gives you real-time visibility into Web application and tc Server performance in production environments. Insight Operations graphs the health of an application over time for an entire cluster of tc Runtime instances and for each server in the cluster. You see application and server problems as they occur, with detailed information about contributing events.

Spring Insight Operations has a distributed architecture, with an agent component on each tc Runtime instance in a cluster and a centralized dashboard. The agent and dashboard components of Spring Insight Operations are tc Server templates, separately downloadable, and are available with tc Server Spring edition. Spring Insight Developer, which continues to be included in the tc Server Developer edition, works with one tc Runtime instance during the development phase for a Web application.

To learn more, see the Spring Insight Operations documentation.

Elastic Memory for Java (EM4J)

Elastic Memory for Java (EM4J) improves memory management for Java workloads in VMware® ESXi™. EM4J is part of VMware vFabric Cloud Application Platform 5.0 and is an add-on to vFabric tc Server. It is packaged as a template in the tc Server Standard Edition.

EM4J establishes a balloon by allocating objects in the Java heap, working with ESXi to reclaim available heap memory dynamically and allocate more memory to VMs that need more. It is a Java-savvy alternative to the VMware guest tools balloon driver. It allows you to overcommit memory on the ESXi host to improve consolidation ratios while avoiding the performance and reliability problems that Java's memory management has typically brought to the virtualization environment.

To learn more, see Elastic Memory for Java.

Unix Runtime User Support

The tc Server 2.6 release includes new features that enable running tc Server and the Hyperic Agent with specified Unix user accounts. Changes to the base template, boot-time startup support, and the tc Server Hyperic plug-in ensure that a tc Runtime instance runs as the desired Unix user, even when Hyperic Agent runs as root or another user.

In tc Server, a new base.runtime.user property in the base template specifies the Unix user that the tc Runtime instance will run as. The boot.rc.template file present in previous releases is gone. In its place, a newly created instance has a CATALINA_HOME/bin/init.d.sh script, which is designed to be linked into the /init/init.d directory and added to the Unix init scripts to start the tc Runtime instance at boot time. The script runs as root but uses su to execute the tc Runtime process as the specified user. You can use the base.runtime.user property to specify the user when you create an instance or edit the init.d.sh script to change the user. The default user is tc-server.

To set up a tc Runtime instance to run as a specified Unix user, in the Getting Started with vFabric tc Server documentation, see "Starting tc Runtime Instances Automatically at System Boot Time."

The tc Server plug-in included in Hyperic 4.6 enables you to run tc Server and the Hyperic Agent with different Unix users. Hyperic Agent can run as root so that it has access to system information on the host computer for reporting in the Hyperic user interface. tc Server instances can run as regular Unix users, which is important for security. If the Hyperic Agent runs as a user other than root, that user and the tc Runtime instance user must be members of the same primary Unix group.

When Hyperic discovers a new tc Server instance, it records the Unix user running the tc Server and, in the future, starts the instance with the same user. The new plug-in also ensures that applications deployed through the Hyperic interface are executable by the tc Runtime instance user. The plug-in uses the su or sudo command, depending on whether the Hyperic Agent is running as root or a non-root user, to change identities before starting a server or deploying an application. To use this feature, you must ensure that these commands are available in the /usr/bin directory. If the Hyperic agent is not executing as root, you must also add permissions to /etc/sudoers to allow it to start the tc Server instance.

To enable this feature, in the vFabric tc Server Administration documentation, see "Setting Up Unix Users for tc Server and Hyperic."

Bash Completion for tc Server Scripts

If you use the bash shell on a Unix-like system and have installed and enabled the bash-completion package, you can enable completion for the tcruntime-instance.sh and tcruntime-ctl.sh tc Server scripts. With completion support, you can press the Tab key to complete command arguments or suggest possible alternatives while entering tc Server commands.

To set up command completion, in the Getting Started with vFabric tc Server documentation, see "Enabling Bash Completion for tc Server Scripts."

vFabric tc Server Editions

tc Server is available in three different editions. tc Server Developer is geared towards the enterprise application developer. tc Server Standard is designed for operators and administrators. tc Server Spring Edition, a part of vFabric Cloud Application Platform 5.0, is for operators and administrators deploying tc Server enterprise applications on VMware vSphere® and VMware® ESXi™ hosts. tc Server Standard and Spring Editions use the same installer and differ only in licensed features and support.

Feature Developer Edition Standard Edition Spring Edition
tc Runtime
Spring Insight Developer  
vFabric Hyperic with tc Server Plug-in  
Spring Insight Operations    
Elastic Memory for Java (EM4J)    
Commercial Spring Support    

Supported Specifications, Related Products, and Platforms

The following sections list the specifications, related product versions, and configurations supported with tc Server 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, and 2.6.6.

Supported Java EE Specifications

vFabric tc Server supports the following specifications:

tc Runtime Versions Included with tc Server 2.6.6 SR1

tc Server 2.6.6 SR1 includes the following tc Runtime versions:

  • tomcat-7.0.50.C.RELEASE
  • tomcat-6.0.39.A.RELEASE

Apache Tomcat security vulnerabilities fixed in tc Runtime 7.0.50.C.RELEASE.

Issue Number Description
CVE-2014-0050 Information Disclosure

Severity: Important

A vulnerability related to malformed requests potentially leading to a denial of service was fixed.

tc Runtime Versions Included with tc Server 2.6.5

tc Server 2.6.5 includes the following tc Runtime versions:

  • tomcat-6.0.35.A.RELEASE (same as in tc Server 2.6.4)
  • tomcat-7.0.26.A.RELEASE

tc Runtime Versions Included with tc Server 2.6.4

tc Server 2.6.4 includes the following tc Runtime versions:

  • tomcat-6.0.35.A.RELEASE (same as in tc Server 2.6.3)
  • tomcat-7.0.25.B.RELEASE

tc Runtime Versions Included with tc Server 2.6.3

tc Server 2.6.3 includes the following tc Runtime versions:

  • tomcat-6.0.35.A.RELEASE
  • tomcat-7.0.23.A.RELEASE

tc Runtime Versions Included with tc Server 2.6.2

tc Server 2.6.2 includes the following tc Runtime versions:

  • tomcat-6.0.33.B.RELEASE
  • tomcat-7.0.22.A.RELEASE

tc Runtime Versions Included with tc Server 2.6.1

tc Server 2.6.1 includes the following tc Runtime versions:

  • tomcat-6.0.33.A.RELEASE
  • tomcat-7.0.20.B.RELEASE

tc Runtime Versions Included with tc Server 2.6.0

tc Server 2.6.0 includes the following tc Runtime versions:

  • tomcat-6.0.32.C.RELEASE
  • tomcat-7.0.16.A.RELEASE

Supported Related Product Versions

The following related VMware product versions are supported with tc Server:

  • vFabric Hyperic Server version 4.6. Hyperic 4.6 includes Hyperic Plug-in for tc Server version 2.6.0.
  • Spring Insight Operations version 1.5.1. Download from the vFabric tc Server page on the VMware download page.
  • Spring Insight Developer version 1.5.1. Bundled with tc Server Developer Edition.
  • Elastic Memory for Java version 1.0. Bundled with tc Server Standard Edition.

Platform Support

The following table lists the supported platform configurations for executing tc Runtime. Other configurations may be supported on request; contact your sales representative for details.

Because you typically install and run the Hyperic Agent on the same computer as tc Runtime, you should also consult HQ Agent Requirements.

Follow the guidance of your operating system or JVM vendor when deciding which patch levels should be applied to your computer. In general, the latest patch update levels are recommended.

tc Server Supported Configurations
Operating System Major Version Chip Architecture JVM
RedHat Enterprise Linux (RHEL) V5 x86 32 bit Sun HotSpot 1.6
x86 64 bit
V6 x86 32 bit
x86 64 bit
Ubuntu 10.04 LTS x86 64 bit Sun HotSpot 1.6
Microsoft Windows Server 2008 SP2 x86 32 bit Sun HotSpot 1.6
x86 64 bit
Server 2003 SP2 and newer x86 32 bit

The following table lists specifically tested patch update levels for the latest 2.6.x version of tc Runtime. The table is updated as new configurations are tested.

Tested Configurations
Operating System Major Version Chip Architecture OS Patch Level JVM
RedHat Enterprise Linux (RHEL) V5 x86_64 2.6.18-164.28.1.el5 Sun 1.6.0_20
RedHat Enterprise Linux (RHEL) V5 x86_32 2.6.18-164.28.1.el5PAE sun 1.6.0_20
RedHat Enterprise Linux (RHEL) V6 x86_64 2.6.18-164.28.1.el5 Sun 1.6.0_20
RedHat Enterprise Linux (RHEL) V6 x86_32 2.6.18-164.28.1.el5 Sun 1.6.0_20
Ubuntu 10.4 LTS x86_64
Microsoft Windows Server 2003 x86_32 SP2 Sun 1.6.0_18
Microsoft Windows Server 2008 x86_32 SP2 Sun 1.6.0_18

Known and Fixed Issues

The following problems have been identified in this release of vFabric tc Server. Where possible, a workaround is provided.

The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of tc Server.

Issue Number Description Found In Fixed In
CVE-2011-4858

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafterd parameters.

2.6.2 2.6.3
CVE-2011-3190

vFabric tc Server 2.6.0 AJP request forgery. vFabric tc Server 2.6.0 is vulnerable to an AJP request forgery as described in CVE-2011-3190. Full details on this vulnerability can be found at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190.

This vulnerability does not affect the org.apache.jk.server.JkCoyoteHandler AJP connector for Apache Tomcat 6-based runtimes. Note that this connector is not available for Tomcat 7-based runtimes. All other AJP connectors (org.apache.coyote.ajp.AjpProtocol, org.apache.coyote.ajp.AjpNioProtocol and org.apache.coyote.ajp.AjpAprProtocol) are affected. The tc Runtime ajp template configures the org.apache.coyote.ajp.AjpProtocol connector for both Apache Tomcat 6- and Apache Tomcat 7-based runtimes.

2.6.0 2.6.1
METRICS-2089 The Help link in the Spring Insight User Interface goes to the tc Server 2.1 documentation home page instead of the vFabric 5.0 Documentation Center. The correct link is http://pubs.vmware.com/vfabric5/topic/com.vmware.vfabric.tc-server.2.6/index.html. 2.6.0
TCS-2378 Deploying a WAR file using the "deploy from local machine" method fails when HQ Server 4.5.1.2 is running on Windows and tc Server is running on Linux. 2.1.3 2.6.2
TCS-2379

The Hyperic plug-in for tc Server is missing the following services:

  • SpringSource tc Runtime 7.0 Cache
  • SpringSource tc Runtime 7.0 Data Source Context
  • SpringSource tc Runtime 7.0 Tomcat JDBC Connection Pool Context
2.5.2 2.6.2
TCS-2382 Links in the README.txt file point to password-protected documentation pages on the incorrect server. 2.6.1 2.6.2
TCS-2384 When using the HQ interface to add an HTTPS connector, the SSLEnabled="true" is omitted. 2.5.2 2.6.2
Bugzilla #51872 Ensure access log always logs the correct remote IP. Ensure requests with multiple errors do not result in multiple access log entries. 2.6.1 2.6.2




* The tc Runtime version refers to the corresponding Apache Tomcat release. A letter is added to indicate whether additional patches not yet released by the Apache Software Foundation are applied.

For example:

  • tc Runtime 7.0.53.A.RELEASE is equivalent to Apache Tomcat 7.0.53.
  • tc Runtime 7.0.53.B.RELEASE is equivalent to Apache Tomcat 7.0.53 plus important bug fixes, enhancements, or security fixes. The letter could also refer to a pre-release of Apache Tomcat 7.0.54.

    The letter is incremented (7.0.53.C.RELEASE, 7.0.53.D.RELEASE, and so on) if additional patches or security fixes are applied after a release is named.

See the Apache Tomcat changelogs for a list of improvements introduced by release: