Yellowfin9.8. with Tomcat 9.0.68 has security risk.

Manikandan Appar shared this question 8 months ago
Completed

Hi Team,

As you are aware Yellowfin 9.8 uses the Apache Tomcat 9.0.68.

Our customer raised concern Tomcat 9.0.68 has a security issue and suppose to upgrade to the latest version or higher version (9.0.71).

We just want to understand -

1. Can we ask the customer to install Yellowfin 9.8 (which includes Tomcat 9.0.68) and upgrade the Tomcat to 9.0.71?

2. Also we want to know which version of Tomcat you are suggesting to us so that we can inform our customer.

Note: please make this ticket available publicly so that I can share it with other teams.

Thanks,

Manikandan

Replies (9)

photo
1

Hi Manikandan,

Thanks for reaching out to Yellowfin support.

We are currently reviewing this case. We will get back to you with the findings shortly. In meantime could you please let me know the current Yellowfin version and build client is using?

Regards,

Sri Vamsi

photo
1

Hi Manikandan,

I hope you are doing well.

1. Our customer raised concern Tomcat 9.0.68 has a security issue and suppose to upgrade to the latest version or higher version (9.0.71). -- Could you please provide the CVE numbers. After getting the CVE's we will check internally.

2. Can we ask the customer to install Yellowfin 9.8 (which includes Tomcat 9.0.68) and upgrade the Tomcat to 9.0.71? -- We have a confirmation from our dev team. Yes, you can update the tomcat latest version of 9 manually. I would like to recommend go through the below link because it contains the information related to Tomcat upgrade. (https://community.yellowfinbi.com/knowledge-base/article/how-to-upgrade-tomcat).

3. Also we want to know which version of Tomcat you are suggesting to us so that we can inform our customer. -- From YF version 9.9 release we provide Upgraded Apache Tomcat from version 9.0.68 to 9.0.73 for new installs. I would suggest install 9.8 version along with tomcat 9.0.68 and upgrade to 9.0.71 manually.

Please let me know if you need any further information.

Regards,

Sri Vamsi

photo
1

Thanks Sri Vamsi for your detailed input.

The CVE number CVE-2023-24998

photo
1

Hi Manikandan,

Greetings of the Day!

We have reviewed the CVE details that you have shared, and based on my review, the upgrade of the Apache Commons fileUpload jar from 1.4 to 1.5 has been fixed in the recent Yellowfin 9.9 release. Please let us know if this is what you are looking for. Let me know if you have any further questions; we would be happy to help

Regards,

Sri Vamsi

photo
1

Hi Sri Vamsi,

Can you provide the download link for Tomcat 9.0.71 from the official site?

Thanks,

Manikandan

photo
1

Hi Manikandan,

Greetings of the Day!

You can download the tomcat version from their official website mentioned below.

https://archive.apache.org/dist/tomcat/tomcat-9/

Please let me know if you need any additional information.

Regards,

Sri Vamsi

photo
1

Hello Manikandan,


Greetings for the Day!

We would like to check, with you if you had the opportunity to read our last response.

Request, you to review and let us know if you have any questions or further assistance is required.

Regards

Sri Vamsi

photo
1

Hello Manikandan,

This is a follow up reminder, that there has been no activity on the ticket in the last 2 days.

As no activity, it usually means either that you have found the solution for the reported issue or that the matter is no longer relevant.

Without any activity, we assume that the ticket can be closed within 5 days (2 days from now).

If this is not the case, please do let us know how we can be of further assistance.

We would be glad/pleased to assist you.

Regards


Sri Vamsi

photo
1

Hello Manikandan,


This email is to notify you that, you have identified the solution for the reported issue or that this ticket can be resolved for now.

As we find no activity, we are going ahead and mark this ticket as Completed. However, if you ever wanted to revisit this or have anything else we could help you with, please let me know.

We would be glad/pleased to assist you.

Regards

Sri Vamsi

Leave a Comment
 
Attach a file