Security Bulletin - Tomcat on Windows
Security Bulletin - 1/20/2021
A security notice was released by the Apache Tomcat team highlighting sensitive information exposure when hosting Tomcat on a Windows NTFS file system. Unexpected behavior between the JRE API and the Windows API can lead to sensitive information disclosure. Specifically this can lead to bypassing security constraints or viewing JSP source code in some configurations.
This is classified as a high severity vulnerability and few technical details are available to determine to whether Yellowfin users are affected, or to what extent.
This affects the following versions of Tomcat:
- 10.0.0-M1 to 10.0.0-M9
- 9.0.0.M1 to 9.0.39
- 8.5.0 to 8.5.59
- 7.0.0 to 7.0.106
Yellowfin upgrade installers do not include Tomcat upgrades. For existing deployments, the Tomcat version should be monitored and controlled by local administrators. In the event your organization is hosting Yellowfin on a Windows environment, it would be prudent to perform a Tomcat Upgrade as soon as time permits. The process will require some scheduled downtime for the Yellowfin service.
Note: Perform a full backup of Yellowfin before performing any major changes. This should include a full backup of the Configuration Database and a full backup of the Yellowfin installation folder.
UPDATE- 01/22/2021: Yellowfin has released a full installer of 9.4.2 and 8.0.8 with an upgraded Tomcat version of 9.0.41 to address this.