Apache Tomcat Vulnerabilities

Ryan Carrie shared this question 6 years ago
Answered

I've recently had a vulnerability related to Tomcat come up in my security scan. What do I do?

Best Answer
photo

When using Yellowfin as shipped, our full installer installs the current version of Tomcat we've bundled with that particular version and build of Yellowfin. Our update installer, however, doesn't update Tomcat when Yellowfin is updated. If you've updated your Yellowfin installation over time, this could leave an older version of Tomcat in its place.

First and foremost, anytime you find a vulnerability come up in a security scan, don't hesitate to open a support ticket if you don't find any related articles to the particular vulnerability listing, or CVE. Often times, we have already reviewed a vulnerability and can provide further information on if it affects you or why it does not.

Am I going to have run a full installer and migrate my content anytime I want to update Tomcat?

Luckily no! We have detailed a process of updating your Tomcat instance that ships with Yellowfin. More information can be found on that here. Keep in mind it's recommended to have good backups of your Yellowfin Configuration Database and your Yellowfin Installation folder prior to performing any configuration changes. Also verify with support, as we can notify you of the most recent Tomcat version tested with Yellowfin.

You can find a list of CVE's we've reviewed in regards to Tomcat here. Please note that the page linked is a work in progress and will be built over time.

Replies (1)

photo
1

When using Yellowfin as shipped, our full installer installs the current version of Tomcat we've bundled with that particular version and build of Yellowfin. Our update installer, however, doesn't update Tomcat when Yellowfin is updated. If you've updated your Yellowfin installation over time, this could leave an older version of Tomcat in its place.

First and foremost, anytime you find a vulnerability come up in a security scan, don't hesitate to open a support ticket if you don't find any related articles to the particular vulnerability listing, or CVE. Often times, we have already reviewed a vulnerability and can provide further information on if it affects you or why it does not.

Am I going to have run a full installer and migrate my content anytime I want to update Tomcat?

Luckily no! We have detailed a process of updating your Tomcat instance that ships with Yellowfin. More information can be found on that here. Keep in mind it's recommended to have good backups of your Yellowfin Configuration Database and your Yellowfin Installation folder prior to performing any configuration changes. Also verify with support, as we can notify you of the most recent Tomcat version tested with Yellowfin.

You can find a list of CVE's we've reviewed in regards to Tomcat here. Please note that the page linked is a work in progress and will be built over time.

Leave a Comment
 
Attach a file