Apache Tomcat Vulnerabilities (CVE-2024-50379 and CVE-2024-56337)
In Progress
Hi.
A customer launched a warning regarding 2 CVEs for Apache Tomcat (CVE-2024-50379 and CVE-2024-56337). See CVE.png attachment.
The recommended action is to upgrade Tomcat to version 9.0.98 or later (see RecommendedAction.png attachment).
My fresh install of Yellowfin in this customer was 9.10, meaning that current version of Tomcat there is 9.0.82. A month ago, I updated Yellowfin to 9.13, but I didn't update Tomcat.
The most recent version released by Yellowfin, 9.14, uses Tomcat 9.0.96, which is still affected by the CVEs.
What are your recommendations to deal with these CVEs?
Must wait for a new Yellowfin release or should I upgrade Tomcat immediately?
Thank you.
Best regards,
Tiago
The same question 
Hi Tiago,
Thanks fr reaching out to support.
We have an upgraded Tomcat set to be included in an upcoming release -
In the meantime upgrading Tomcat outside Yellowfin is always a viable option, let us know if there are any impacts with the new version in this case.
Thanks,
Eric
Hi Tiago,
Thanks fr reaching out to support.
We have an upgraded Tomcat set to be included in an upcoming release -
In the meantime upgrading Tomcat outside Yellowfin is always a viable option, let us know if there are any impacts with the new version in this case.
Thanks,
Eric
Hi Eric.
Since you are Ok with an immediately upgrade, I will do that.
I will let you know the result of the upgrade.
Thank you.
Best regards,
Tiago
Hi Eric.
Since you are Ok with an immediately upgrade, I will do that.
I will let you know the result of the upgrade.
Thank you.
Best regards,
Tiago
Hi Eric.
After an internal conversation in my company, we think that we should wait for a clear response from your side, stating that it is secure to implement this Apache Tomcat upgrade.
We are not the only ones affected by these CVEs. All, or a high percentage, of your customers must be, as well, affected by this problem.
Yellowfin must have performed tests by now to the most recent version of Apache Tomcat, 9.0.98, to ensure Yellowfin BI runs without any issues.
Thank you.
Best regards,
Tiago
Hi Eric.
After an internal conversation in my company, we think that we should wait for a clear response from your side, stating that it is secure to implement this Apache Tomcat upgrade.
We are not the only ones affected by these CVEs. All, or a high percentage, of your customers must be, as well, affected by this problem.
Yellowfin must have performed tests by now to the most recent version of Apache Tomcat, 9.0.98, to ensure Yellowfin BI runs without any issues.
Thank you.
Best regards,
Tiago
Replies have been locked on this page!