Yellowfin 7.35 with Security Vulnerability in Apache Tomcat.

Manikandan Appar shared this question 16 months ago
Completed

Hi Team,

We are seeing Security Vulnerability in Apache Tomcat with Yellowfin7.35.

An example of Security Vulnerability is Apache Tomcat 7.0.0 < 7.0.108 RCE

As of now, we will not be able to upgrade the Yellowfin version but we would like to understand if can we upgrade the Tomcat version to solve the above problem.

Can you check and update us, on which version of the Tomcat version we have to upgrade or provide your suggestions?

Thanks,

Manikandan

Replies (14)

photo
1

Hello Manikandan,

Thanks for reaching out to Yellowfin Support.

To proceed further, could you kindly provide the following details:

1. Could you please share info.jsp. To access this page, just append info.jsp to your YF URL. E.g. http://localhost:8080/info.jsp

2. Could you please let me know if there is any specific CVE or CWE number that you are referring to? I looked at the image however it didn't helped.

3. If possible, could you please share the complete vulnerability scan report document for us to investigate further.

Regards,
Sharwari Inkane

photo
1

Hi Sharwari,

I have requested the above details, we will update to soon.

Thanks.

photo
1

Hello Manikandan,

Thanks for your response. Please keep me updated once you received the requested details.

Regards,
Sharwari Inkane

photo
1

Hi Sharwari,

The user was unable to browse the http://localhost:8080/info.jsp so we requested them to export system information, please find details in the Word document.

Regarding the CVE number find the scan report in the Excel sheet. I reviewed the report for CVE number but it was not mentioned explicitly, When I searched on the internet I could find relatively the same in https://www.tenable.com/plugins/nessus/147163

Let me know if any more details are needed.

Thanks,

Manikandan

photo
1

Hello Manikandan,

Thanks for sharing the system information and complete vulnerability scan report. Typically, vulnerabilities of this type are resolved by upgrading the Tomcat to the latest version 9.0.73. Could you kindly attempt to manually upgrade your Tomcat version to 9.0.73 and then rerun the report? Please verify if any vulnerabilities remain after the Tomcat upgrade. Please follow the instructions provided in the following article for Tomcat upgrade: https://community.yellowfinbi.com/knowledge-base/article/how-to-upgrade-tomcat

Please be aware that Yellowfin Version 7 is no longer supported, and we kindly request you to either download or upgrade to the latest version using this link provided. If you are upgrading from version 7.3 to version 9, it's important to follow the correct upgrade path. We recommend the following upgrade path: 7.3 -> 7.35 -> 8.0 -> 9.8 (or any 9.x version you prefer). It's also important to note that Yellowfin 9.9 comes with Tomcat 9.0.73. However, upgrading to Yellowfin version 9.9 will not automatically upgrade Tomcat; the new installation will include the updated version.

Regards,
Sharwari Inkane

photo
1

Hello Manikandan,

I hope all is well,

I just want to touch base to see if you had a chance to read through my response. If you can let me know that would be great.

Regards,
Sharwari Inkane

photo
1

Hi Sharwari,

I will update the status tomorrow, I have informed them about these details waiting for their input.

Thanks,

Manikandan

photo
1

Hello Manikandan,

Thanks for your response. Please keep me updated once you received any input from user.

Regards,
Sharwari Inkane

photo
1

Hello Manikandan,

I just wanted to check in and see if you have received any input from the user. Please let me know.
Thanks and have a great day!

Regards,
Sharwari Inkane

photo
1

Hello Manikandan,

I hope all is well,

I just want to touch base to see if you had a chance to read through my response. If you can let me know that would be great.

Regards,
Sharwari Inkane

photo
1

Yeah Sharwari, I have shared the details with them, but they are yet to come back.

I will you know the status as soon as inform us.

Regards,

Manikandan

photo
1

Hello Manikandan,

Sure, Thanks for the update. I will await your response.

Regards,
Sharwari Inkane

photo
1

Hi Sarwari,

Thanks for your support.

No further input is required, we provided the instructions to upgrade the Tomcat.

Regards,

Manikandan

photo
1

Hello Manikandan,

Thanks for your response. I will now go ahead and mark this case as completed. Feel free to contact us with any questions or concerns; we would be more than happy to assist you.

Have a great rest of your day!

Thanks!

Regards,

Sharwari Inkane

Leave a Comment
 
Attach a file