Bug#846298: tomcat7: Security update causes java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper

Anthony DeRobertis aderobertis at metrics.net
Tue Nov 29 22:28:06 UTC 2016 

Package: tomcat7
Version: 7.0.56-3+deb8u5
Severity: important

I applied the latest security update and it broke tomcat completely. The logs
show:

SEVERE: SecurityClassLoad
java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
         at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
         at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
         at java.security.AccessController.doPrivileged(Native Method)
         at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
         at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
         at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
         at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:49)
         at org.apache.jasper.compiler.JspRuntimeContext.<clinit>(JspRuntimeContext.java:82)
         at java.lang.Class.forName0(Native Method)
         at java.lang.Class.forName(Class.java:278)
         at org.apache.catalina.core.JasperListener.lifecycleEvent(JasperListener.java:63)
         at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
         at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
         at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Nov 29, 2016 5:11:13 PM org.apache.catalina.core.JasperListener lifecycleEvent
WARNING: Couldn't initialize Jasper
java.lang.ExceptionInInitializerError
         at java.lang.Class.forName0(Native Method)
         at java.lang.Class.forName(Class.java:278)
         at org.apache.catalina.core.JasperListener.lifecycleEvent(JasperListener.java:63)
         at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
         at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
         at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:606)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.IllegalStateException: java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
         at org.apache.jasper.compiler.JspRuntimeContext.<clinit>(JspRuntimeContext.java:99)
         ... 15 more
Caused by: java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
         at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
         at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
         at java.security.AccessController.doPrivileged(Native Method)
         at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
         at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
         at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
         at org.apache.jasper.compiler.JspRuntimeContext.<clinit>(JspRuntimeContext.java:92)
         ... 15 more

Upgrading to the version is jessie-backports fixes the issue. This looks like
https://bz.apache.org/bugzilla/show_bug.cgi?id=60101 but that's just a guess.

-- System Information:
Debian Release: 8.6
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat7 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat7-common         7.0.73-1~bpo8+1
ii  ucf                    3.0030

Versions of packages tomcat7 recommends:
ii  authbind  2.1.1

Versions of packages tomcat7 suggests:
ii  libtcnative-1     1.1.32~repack-2
pn  tomcat7-admin     <none>
pn  tomcat7-docs      <none>
pn  tomcat7-examples  <none>
pn  tomcat7-user      <none>

-- Configuration Files:
/etc/tomcat7/catalina.properties [Errno 13] Permission denied: u'/etc/tomcat7/catalina.properties'
/etc/tomcat7/context.xml [Errno 13] Permission denied: u'/etc/tomcat7/context.xml'
/etc/tomcat7/logging.properties [Errno 13] Permission denied: u'/etc/tomcat7/logging.properties'
/etc/tomcat7/policy.d/01system.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/01system.policy'
/etc/tomcat7/policy.d/02debian.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/02debian.policy'
/etc/tomcat7/policy.d/03catalina.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/03catalina.policy'
/etc/tomcat7/policy.d/04webapps.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/04webapps.policy'
/etc/tomcat7/policy.d/50local.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/50local.policy'
/etc/tomcat7/server.xml [Errno 13] Permission denied: u'/etc/tomcat7/server.xml'
/etc/tomcat7/tomcat-users.xml [Errno 13] Permission denied: u'/etc/tomcat7/tomcat-users.xml'
/etc/tomcat7/web.xml [Errno 13] Permission denied: u'/etc/tomcat7/web.xml'

-- debconf information:
   tomcat7/username: tomcat7
   tomcat7/groupname: tomcat7
   tomcat7/javaopts: -server -Xms2500m -Xmx2700m -XX:MaxPermSize=384m -Xbootclasspath/a:/usr/lib/oracle/11.2/client64/lib/ojdbc6.jar -XX:+UseParallelGC -XX:+UseParallelOldGC -XX:MaxGCPauseMillis=1500 -XX:GCTimeRatio=99 -DentityExpansionLimit=256000 -Djava.net.preferIPv4Stack=true

More information about the pkg-java-maintainers mailing list