Resolves: rhbz#2061424 Add Java 9 start-up parameters to allow reflection

Fixes CVE-2022-23181

java-9-start-up-parameters.conf

@@ -0,0 +1,7 @@
+# Add the JAVA 9 specific start-up parameters required by Tomcat
+JDK_JAVA_OPTIONS="$JDK_JAVA_OPTIONS --add-opens=java.base/java.lang=ALL-UNNAMED"
+JDK_JAVA_OPTIONS="$JDK_JAVA_OPTIONS --add-opens=java.base/java.io=ALL-UNNAMED"
+JDK_JAVA_OPTIONS="$JDK_JAVA_OPTIONS --add-opens=java.base/java.util=ALL-UNNAMED"
+JDK_JAVA_OPTIONS="$JDK_JAVA_OPTIONS --add-opens=java.base/java.util.concurrent=ALL-UNNAMED"
+JDK_JAVA_OPTIONS="$JDK_JAVA_OPTIONS --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED"
+export JDK_JAVA_OPTIONS

rhbz-1857043.patch

@@ -1,16 +1,16 @@
 diff -up ./build.xml.orig ./build.xml
---- ./build.xml.orig	2020-07-24 10:24:08.313796968 -0400
-+++ ./build.xml	2020-07-24 10:24:38.027427445 -0400
-@@ -757,7 +757,7 @@
+--- build.xml.orig	2021-07-07 10:53:55.493742841 +0800
++++ build.xml	2021-07-07 11:09:43.107968515 +0800
+@@ -1030,7 +1030,7 @@
        filesDir="${tomcat.classes}"
        filesId="files.annotations-api"
        manifest="${tomcat.manifests}/annotations-api.jar.manifest"
 -      addOSGi="true" />
 +      addOSGi="false" />
  
-     <!-- Servlet 4.0 Implementation JAR File -->
+     <!-- Servlet Implementation JAR File -->
      <jarIt jarfile="${servlet-api.jar}"
-@@ -766,41 +766,41 @@
+@@ -1039,41 +1039,41 @@
        manifest="${tomcat.manifests}/servlet-api.jar.manifest"
        notice="${tomcat.manifests}/servlet-api.jar.notice"
        license="${tomcat.manifests}/servlet-api.jar.license"
@@ -41,7 +41,7 @@ diff -up ./build.xml.orig ./build.xml
 -      addOSGi="true" />
 +      addOSGi="false" />
  
-     <!-- JASPIC 1.1 API JAR File -->
+     <!-- JASPIC API JAR File -->
      <jarIt jarfile="${jaspic-api.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.jaspic-api"
@@ -58,7 +58,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- Bootstrap JAR File -->
      <jarIt jarfile="${bootstrap.jar}"
-@@ -812,61 +812,61 @@
+@@ -1085,61 +1085,61 @@
      <jarIt jarfile="${tomcat-util.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.tomcat-util"
@@ -130,7 +130,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- Catalina Ant Tasks JAR File -->
      <jarIt jarfile="${catalina-ant.jar}"
-@@ -877,27 +877,27 @@
+@@ -1150,27 +1150,27 @@
      <jarIt jarfile="${catalina-storeconfig.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.catalina-storeconfig"
@@ -162,7 +162,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- i18n JARs -->
      <jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
-@@ -1375,7 +1375,7 @@
+@@ -1644,7 +1644,7 @@
             filesId="files.tomcat-embed-core"
             notice="${tomcat.manifests}/servlet-api.jar.notice"
             license="${tomcat.manifests}/servlet-api.jar.license"
@@ -171,7 +171,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
             graalFiles="res/graal/tomcat-embed-core/native-image"
-@@ -1383,7 +1383,7 @@
+@@ -1652,7 +1652,7 @@
      <jarIt jarfile="${tomcat-embed-el.jar}"
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-el"
@@ -180,7 +180,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
             graalFiles="res/graal/tomcat-embed-el/native-image"
-@@ -1392,7 +1392,7 @@
+@@ -1661,7 +1661,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-jasper"
             meta-inf="${tomcat.manifests}/jasper.jar"
@@ -189,7 +189,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
             graalFiles="res/graal/tomcat-embed-jasper/native-image"
-@@ -1401,7 +1401,7 @@
+@@ -1670,7 +1670,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-websocket"
             meta-inf="${tomcat.manifests}/tomcat-websocket.jar"

sources

@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.43-src.tar.gz) = 8c23f8a371b3ffbc1ab4d5f24be08ecf2c9e6ba466ef36ef97e075bd0f12b1ffc93f63b9ff1def9953b3f791319c7c355a76e7a54061a21d25be37a5dc22da26
+SHA512 (apache-tomcat-9.0.59-src.tar.gz) = cea0125ca9b90b247ed114fa7b2e9c63da38b1ef97b3a373a43ed0d775764178534a4014b254219c8c5a26575eaf0ddc25ebc1e276b2ad5086ef3406627f1c80

tomcat-9.0-JDTCompiler.patch

@@ -0,0 +1,24 @@
+diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java ./java/org/apache/jasper/compiler/JDTCompiler.java
+index 2e361f2..277d8f4 100644
+--- java/org/apache/jasper/compiler/JDTCompiler.java
++++ java/org/apache/jasper/compiler/JDTCompiler.java
+@@ -310,7 +310,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
+             } else if(opt.equals("15")) {
+                 settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
+             } else if(opt.equals("16")) {
+-                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
++                settings.put(CompilerOptions.OPTION_Source, "16");
+             } else if(opt.equals("17")) {
+                 // Constant not available in latest ECJ version that runs on
+                 // Java 8.
+@@ -377,8 +377,8 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
+                 settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
+                 settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
+             } else if(opt.equals("16")) {
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
+-                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
++                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
++                settings.put(CompilerOptions.OPTION_Compliance, "16");
+             } else if(opt.equals("17")) {
+                 // Constant not available in latest ECJ version that runs on
+                 // Java 8.

tomcat-9.0-catalina-policy.patch

@@ -1,8 +1,8 @@
---- conf/catalina.policy.orig	2020-04-22 14:51:13.734893403 -0400
-+++ conf/catalina.policy	2020-04-22 15:14:57.609677967 -0400
-@@ -51,6 +51,17 @@ grant codeBase "file:${java.home}/lib/ex
- };
- 
+--- conf/catalina.policy.orig	2021-07-07 10:25:53.461393329 +0800
++++ conf/catalina.policy	2021-07-07 10:27:47.688682404 +0800
+@@ -56,6 +56,16 @@ grant codeBase "file:${java.home}/lib/ex
+ //        permission java.security.AllPermission;
+ //};
  
 +// ========== RHEL SPECIFIC CODE PERMISSIONS =======================================
 +
@@ -14,7 +14,13 @@
 +        permission java.security.AllPermission;
 +};
 +
-+
+ 
  // ========== CATALINA CODE PERMISSIONS =======================================
  
- 
+@@ -262,4 +272,4 @@ grant codeBase "file:${catalina.home}/we
+ //
+ // The permissions granted to a specific JAR
+ // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
+-// };
+\ No newline at end of file
++// };

tomcat.spec

@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 43
+%global micro_version 59
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       3%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -77,12 +77,14 @@ Source21:      tomcat-functions
 Source30:      tomcat-preamble
 Source31:      tomcat-server
 Source32:      tomcat-named.service
+Source33:      java-9-start-up-parameters.conf
 
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 Patch2:        %{name}-build.patch
 Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
+Patch5:        %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch
 
 BuildArch:     noarch
 
@@ -212,6 +214,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch2 -p0
 %patch3 -p0
 %patch4 -p0
+%patch5 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -323,6 +326,8 @@ popd
 %{__install} -m 0644 %{SOURCE32} \
     ${RPM_BUILD_ROOT}%{_unitdir}/%{name}@.service
 
+%{__install} -m 0644 %{SOURCE33} ${RPM_BUILD_ROOT}%{confdir}/conf.d/
+
 # Substitute libnames in catalina-tasks.xml
 sed -i \
    "s,el-api.jar,%{name}-el-%{elspec}-api.jar,;
@@ -545,6 +550,7 @@ fi
 %attr(0775,root,tomcat) %dir %{confdir}/Catalina/localhost
 %attr(0755,root,tomcat) %dir %{confdir}/conf.d
 %{confdir}/conf.d/README
+%{confdir}/conf.d/java-9-start-up-parameters.conf
 %config(noreplace) %{confdir}/%{name}.conf
 %config(noreplace) %{confdir}/*.policy
 %config(noreplace) %{confdir}/*.properties
@@ -623,7 +629,38 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
-* Wed Jan 03 2021 Hui Wang <huwang@redhat.com> - 1:9.0.43-1
+* Thu Mar 10 2022 Coty Sutherland <csutherl@redhat.com> - 1:9.0.59-3
+- Resolves: rhbz#2061424 Add Java 9 start-up parameters to allow reflection
+
+* Wed Mar 02 2022 Sonia Xu <sonix@amazon.com> - 1:9.0.59-1
+- Update to 9.0.59
+- Resolves: rhbz#2047419 - CVE-2022-23181 tomcat: local privilege escalation vulnerability
+
+* Fri Dec 10 2021 Hui Wang <huwang@redhat.com> - 1:9.0.56-1
+- Update to 9.0.56
+
+* Tue Nov 23 2021 Hui Wang <huwang@redhat.com> - 1:9.0.55-1
+- Update to 9.0.55
+
+* Tue Oct 12 2021 Hui Wang <huwang@redhat.com> - 1:9.0.54-1
+- Update to 9.0.54
+
+* Thu Sep 16 2021 Hui Wang <huwang@redhat.com> - 1:9.0.53-1
+- Update to 9.0.53
+
+* Wed Aug 18 2021 Hui Wang <huwang@redhat.com> - 1:9.0.52-1
+- Update to 9.0.52
+
+* Thu Aug 12 2021 Hui Wang <huwang@redhat.com> - 1:9.0.50-1
+- Update to 9.0.50
+
+* Thu Apr 22 2021 Hui Wang <huwang@redhat.com> - 1:9.0.45-1
+- Update to 9.0.45
+
+* Thu Mar 18 2021 Hui Wang <huwang@redhat.com> - 1:9.0.44-1
+- Update to 9.0.44
+
+* Wed Feb 03 2021 Hui Wang <huwang@redhat.com> - 1:9.0.43-1
 - Update to 9.0.43
 
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.41-2