<?xml version="1.0" encoding="UTF-8"?>
<!--
  Minimal Tomcat server.xml authored to reach the CVE-2026-34486 fail-open path.
  - One HTTP connector (8080) so the marker/output can optionally be retrieved over HTTP.
  - A clustering <Cluster> whose <Channel> carries an EncryptInterceptor configured
    with a static key. The NioReceiver listens on 4000 and is the unauthenticated
    attack surface for the Tribes deserialization sink.
  No second cluster node is required: the bug is in the *receiver's* messageReceived
  path, which a single node processes for any inbound Tribes frame on port 4000.
-->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <Service name="Catalina">

    <Connector port="8080" protocol="HTTP/1.1"
               address="0.0.0.0"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">

      <!--
        Tribes cluster with encryption. EncryptInterceptor wraps the channel with
        AES/GCM using the static encryptionKey below (a 128-bit key as 32 hex chars).
        The vulnerable EncryptInterceptor.messageReceived() in 11.0.20 forwards raw
        bytes to super.messageReceived() even when decrypt() throws, so an attacker
        sending unencrypted bytes reaches XByteBuffer.deserialize() -> readObject().
      -->
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
               channelSendOptions="6">

        <Channel className="org.apache.catalina.tribes.group.GroupChannel">

          <Membership className="org.apache.catalina.tribes.membership.McastService"
                      address="228.0.0.4"
                      port="45564"
                      frequency="500"
                      dropTime="3000"/>

          <Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
                    address="0.0.0.0"
                    port="4000"
                    autoBind="0"
                    selectorTimeout="5000"
                    maxThreads="6"/>

          <Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
            <Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"/>
          </Sender>

          <!-- The vulnerable interceptor, configured with a key as the CVE requires. -->
          <Interceptor className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
                       encryptionKey="cafebabecafebabecafebabecafebabe"/>

          <Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
          <Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor"/>

        </Channel>

        <Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
               filter=""/>
        <Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>

        <ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
      </Cluster>

      <Host name="localhost" appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>
