Security Bulletin - Tomcat on Windows

Ryan Carrie shared this announcement 49 days ago

Security Bulletin - 1/20/2021

Details

A security notice was released by the Apache Tomcat team highlighting sensitive information exposure when hosting Tomcat on a Windows NTFS file system.  Unexpected behavior between the JRE API and the Windows API can lead to sensitive information disclosure.  Specifically this can lead to bypassing security constraints or viewing JSP source code in some configurations.

This is classified as a high severity vulnerability and few technical details are available to determine to whether Yellowfin users are affected, or to what extent.  

This affects the following versions of Tomcat:

  • 10.0.0-M1 to 10.0.0-M9
  • 9.0.0.M1 to 9.0.39
  • 8.5.0 to 8.5.59
  • 7.0.0 to 7.0.106

Recommendation

Yellowfin upgrade installers do not include Tomcat upgrades.  For existing deployments, the Tomcat version should be monitored and controlled by local administrators.  In the event your organization is hosting Yellowfin on a Windows environment, it would be prudent to perform a Tomcat Upgrade as soon as time permits.  The process will require some scheduled downtime for the Yellowfin service.

Note:  Perform a full backup of Yellowfin before performing any major changes.  This should include a full backup of the Configuration Database and a full backup of the Yellowfin installation folder.

UPDATE- 01/22/2021:  Yellowfin has released a full installer of 9.4.2 and 8.0.8 with an upgraded Tomcat version of 9.0.41 to address this.

Please visit the Yellowfin Portal to access these releases and subscribe to announcements via RSS for future Security Bulletins.

Contact security@yellowfin.bi with any responsible disclosure submissions or the Yellowfin Support Team with any questions or concerns.