VMware

vFabric tc Server 2.8 Release Notes

vFabric tc Server 2.8.5 | 08 JAN 2015
vFabric tc Server 2.8.4 | 03 JUN 2014
vFabric tc Server 2.8.3 SR1 | 18 FEB 2014
vFabric tc Server 2.8.2 | 31 JAN 2013
vFabric tc Server 2.8.1 | 8 NOV 2012
vFabric tc Server 2.8.0 | 16 OCT 2012

Last Document Update: 12 FEB 2015

What's in the Release Notes

These release notes cover the following topics:

What's New in vFabric tc Server 2.8.5

Note: This version is the final maintenance release. To continue receiving maintenance updates, please upgrade to tc Server version 3.x (recommended) or tc Server version 2.9.x.

  • * New tc Runtime versions:
    • tomcat-6.0.43.A.RELEASE
    • tomcat-7.0.57.B.RELEASE
  • Updated Spring Insight to Version 1.9.2.SR6
    • Insight plugins for Spring now support Spring 4
    • Support for tc Runtime 8 and Apache Tomcat 8
    • Support for Java 8

What's New in vFabric tc Server 2.8.4

  • * New tc Runtime versions:
    • tomcat-7.0.53.B.RELEASE
    • tomcat-6.0.40.B.RELEASE
  • Apache Tomcat security vulnerabilities and bugs fixed in tc Runtime 7.0.53.B.RELEASE.
    Issue Number Description
    CVE-2014-0075

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack.
    CVE-2014-0096

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.
    CVE-2014-0099

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header.
    CVE-2014-0119

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Low

    In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
    Apache Software Foundation Bugzilla Issue#56334 / 55735 Enhanced JSP compiling to handle the different escaping required inside and outside EL expressions.
  • Apache Tomcat security vulnerabilities and bugs fixed in tc Runtime 6.0.40.B.RELEASE.
    Issue Number Description
    CVE-2014-0075

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack.
    CVE-2014-0096

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities.
    CVE-2014-0099

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Important

    The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header.
    CVE-2014-0119

    Search the Apache Tomcat security vulnerabilities page for the issue number for more information.

    Information Disclosure

    Severity: Low

    In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.
    Apache Software Foundation Bugzilla Issue#56334 / 55735 Enhanced JSP compiling to handle the different escaping required inside and outside EL expressions.
    Apache Software Foundation Bugzilla Issue#56529 Added test to Validator.java to check if an element has a next node to avoid exception errors.

What's New in vFabric tc Server 2.8.3 SR1

  • * New tc Runtime versions:
    • tomcat-7.0.50.C.RELEASE
    • tomcat-6.0.39.A.RELEASE
  • Apache Tomcat security vulnerabilities fixed in tc Runtime 7.0.50.C.RELEASE.
    Issue Number Description
    CVE-2014-0050 Information Disclosure

    Severity: Important

    A vulnerability related to malformed requests potentially leading to a denial of service was fixed.
  • tc Server Hyperic plugin: The tcsadmin client now includes the updated list of XSD (XML Schema Definition) files to resolve role issues when completing certain actions.
  • What's New in vFabric tc Server 2.8.2

    * New tc Runtime versions:

    • tomcat-7.0.35.B.RELEASE
    • tomcat-6.0.36.B.RELEASE

    In addition to fixes in Apache Tomcat 7.0.35, tc Runtime 7.0.35.B.RELEASE contains a fix for JSP compilation. For more information see ASF Bug 54440.

    The VMware Solution Exchange has also been updated with a new version of the Hyperic plugin for vFabric tc Server. Click the Tech Specs tab for instructions on installing this plugin into an existing vFabric Hyperic 5.0 installation.

    What's New in vFabric tc Server 2.8.1

    This VMware® vFabric™ tc Server release includes the following versions of tc Runtime:

    • tomcat-7.0.32.B.RELEASE
    • tomcat-6.0.36.A.RELEASE

    The new tc Runtime 6 version fixes the Apache Tomcat security vulnerabilities listed in the following table.

    CVE Number Description
    CVE-2012-2733 Apache Tomcat Denial of Service

    Severity: Important

    The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers.
    CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

    Severity: Moderate

    Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved:
    • Tomcat tracked client rather than server nonces and nonce count.
    • When a session ID was present, authentication was bypassed.
    • The user name and password were not checked before when indicating that a nonce was stale.
    These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.

    What's New in vFabric tc Server 2.8.0

    This VMware vFabric tc Server release includes the following new features:

    • * New tc Runtime versions:
      • tomcat-7.0.30.A
      • tomcat-6.0.35.B
    • apply-template Command of tcruntime-instance. The tcruntime-instance command script has a new command, apply-template, that you can use to apply a new template to an existing tc Runtime instance. Under Create and Modify a tc Runtime Instance, see "tcruntime-instance.sh Reference."
    • License File Packaging. You can now store vFabric license files in the instance directory, together with the other instance configuration files, as well as in the standard common location. See Activate a Local vFabric tc Server License.
    • Documentation on Managing Outages. The tc Server documentation includes a new section that describes basic steps for managing planned and unplanned outages. See Managing Planned and Unplanned Outages.
    • tcruntime-instance reference documentation. The online reference documentation and examples for tcruntime-instance are now aligned with the command-line usage output. Previously the online documentation and examples showed a different order of options and arguments.

    The following changes apply to vFabric Suite 5.2 products, including vFabric tc Server and Spring Insight Operations:

    • New vfabric repository RPM for RHEL.. As with each new release of vFabric Suite, if you use Red Hat Enterprise Linux (RHEL), you install a new VMware repository configuration RPM. This new installation enables you to easily browse and install the vFabric component RPMs associated with vFabric Suite 5.2, such as vFabric tc Server 2.8 and Spring Insight Operations 1.8. In addition, the 5.2 repository RPM installation now asks you immediately to accept the End User License Agreement (EULA). In previous releases, you accepted the EULA the first time you installed a vFabric component associated with the Suite release. See RHEL: Install vFabric tc Server Standard Edition from an RPM. Under Install and Configure Dashboard, see "RHEL Only: Install Dashboard Template from RPM" and under Install and Configure Insight Agent, see "RHEL Only: Install Agent RPM."
    • vfabric-all repository deprecated. The VMware RPM repository vfabric-all is deprecated and will no longer be updated with new RPMs. In addition to vFabric Suite components, vfabric-all contained releases of vFabric components that were not associated with a vFabric Suite release. If you want to install a vFabric component that is not yet part of a vFabric Suite release, you must download the RPM from the VMware Download Center and install it using rpm -ivhf. Under RHEL: Install vFabric tc Server Standard Edition from an RPM, see "Install vFabric tc Server from a Downloaded RPM."

    Known Issues

    The following problems have been identified in this release of vFabric tc Server. Where possible, a workaround is provided.

    The table indicates the version in which the problem was found and, where applicable, the version in which it was fixed. If the Fixed In column is blank, it means the problem still exists in the latest version of tc Server.

    Issue Number Description Found In Fixed In
    TCS-2673 When you upgrade vFabric tc Server on RHEL using an RPM, the ownership of the existing tc Runtime directories changes to root:root from root:vfabric.

    Workaround: As the root user, change the group ownership of the tomcat-XX directories back to vfabric using the chgrp Unix command.
    2.8.0 2.8.1
    TCS-2672 When you uninstall vFabric tc Server on RHEL using yum uninstall, some tc Runtime directories(that is, tomcat-XX) are not removed.

    Workaround: As the root user, remove them using the Unix rm command.
    2.8.0 2.8.1




    * The tc Runtime version refers to the corresponding Apache Tomcat release. A letter is added to indicate whether additional patches not yet released by the Apache Software Foundation are applied.

    For example:

    • tc Runtime 7.0.53.A.RELEASE is equivalent to Apache Tomcat 7.0.53.
    • tc Runtime 7.0.53.B.RELEASE is equivalent to Apache Tomcat 7.0.53 plus important bug fixes, enhancements, or security fixes. The letter could also refer to a pre-release of Apache Tomcat 7.0.54.

      The letter is incremented (7.0.53.C.RELEASE, 7.0.53.D.RELEASE, and so on) if additional patches or security fixes are applied after a release is named.

    See the Apache Tomcat changelogs for a list of improvements introduced by release: