Apache Tomcat Vulnerabilities (CVE-2024-50379 and CVE-2024-56337)
Answered
Hi.
A customer launched a warning regarding 2 CVEs for Apache Tomcat (CVE-2024-50379 and CVE-2024-56337). See CVE.png attachment.
The recommended action is to upgrade Tomcat to version 9.0.98 or later (see RecommendedAction.png attachment).
My fresh install of Yellowfin in this customer was 9.10, meaning that current version of Tomcat there is 9.0.82. A month ago, I updated Yellowfin to 9.13, but I didn't update Tomcat.
The most recent version released by Yellowfin, 9.14, uses Tomcat 9.0.96, which is still affected by the CVEs.
What are your recommendations to deal with these CVEs?
Must wait for a new Yellowfin release or should I upgrade Tomcat immediately?
Thank you.
Best regards,
Tiago
The same question 
Hi Tiago,
Thanks fr reaching out to support.
We have an upgraded Tomcat set to be included in an upcoming release -
In the meantime upgrading Tomcat outside Yellowfin is always a viable option, let us know if there are any impacts with the new version in this case.
Thanks,
Eric
Hi Tiago,
Thanks fr reaching out to support.
We have an upgraded Tomcat set to be included in an upcoming release -
In the meantime upgrading Tomcat outside Yellowfin is always a viable option, let us know if there are any impacts with the new version in this case.
Thanks,
Eric
Hi Eric.
Since you are Ok with an immediately upgrade, I will do that.
I will let you know the result of the upgrade.
Thank you.
Best regards,
Tiago
Hi Eric.
Since you are Ok with an immediately upgrade, I will do that.
I will let you know the result of the upgrade.
Thank you.
Best regards,
Tiago
Hi Eric.
After an internal conversation in my company, we think that we should wait for a clear response from your side, stating that it is secure to implement this Apache Tomcat upgrade.
We are not the only ones affected by these CVEs. All, or a high percentage, of your customers must be, as well, affected by this problem.
Yellowfin must have performed tests by now to the most recent version of Apache Tomcat, 9.0.98, to ensure Yellowfin BI runs without any issues.
Thank you.
Best regards,
Tiago
Hi Eric.
After an internal conversation in my company, we think that we should wait for a clear response from your side, stating that it is secure to implement this Apache Tomcat upgrade.
We are not the only ones affected by these CVEs. All, or a high percentage, of your customers must be, as well, affected by this problem.
Yellowfin must have performed tests by now to the most recent version of Apache Tomcat, 9.0.98, to ensure Yellowfin BI runs without any issues.
Thank you.
Best regards,
Tiago
Hi Tiago,
With a ne Tomcat implementation there's quite a bit of testing involved, our operations is in the progress of full testing at this time, and we will be able to confirm support 9.0.98 upon the next official release, I can also request comment on the CVE IDs directly to confirm the impact status of the application, and ask for additional compatibility comments / potential breaking changes related to the upgrades if this sounds like a good way forward. Hope this helps let me know if you have any additional questions.
Hi Tiago,
With a ne Tomcat implementation there's quite a bit of testing involved, our operations is in the progress of full testing at this time, and we will be able to confirm support 9.0.98 upon the next official release, I can also request comment on the CVE IDs directly to confirm the impact status of the application, and ask for additional compatibility comments / potential breaking changes related to the upgrades if this sounds like a good way forward. Hope this helps let me know if you have any additional questions.
Hi Eric.
How can I check if the default servlet is enabled for write operations?
I want to update my customers with the current status and I want to be sure about what information I am giving to them.
Thank you.
Best regards,
Tiago
Hi Eric.
How can I check if the default servlet is enabled for write operations?
I want to update my customers with the current status and I want to be sure about what information I am giving to them.
Thank you.
Best regards,
Tiago
Hi Tiago,
To check if the default servlet is enabled for write operations in Yellowfin, you would typically need to inspect the configuration settings of the Yellowfin server. This involves checking the servlet configuration in the web.xml file or equivalent configuration files where servlets are defined. The Yellowfin configuration DB is de
However, since this is a server-side configuration, it cannot be directly checked using the Yellowfin JS API or any client-side code. You would need access to the server's configuration files to verify this.
If you have access to the server configuration, you can look for the servlet definition related to write operations and check if it is enabled. This might involve checking for specific parameters or flags that indicate whether write operations are allowed.
If you do not have access to the server configuration, you may need to contact your system administrator or the person responsible for managing the Yellowfin server to verify this information.
Hope this helps, let me know if you need anything additionally here.
Thanks,
Eric
Hi Tiago,
To check if the default servlet is enabled for write operations in Yellowfin, you would typically need to inspect the configuration settings of the Yellowfin server. This involves checking the servlet configuration in the web.xml file or equivalent configuration files where servlets are defined. The Yellowfin configuration DB is de
However, since this is a server-side configuration, it cannot be directly checked using the Yellowfin JS API or any client-side code. You would need access to the server's configuration files to verify this.
If you have access to the server configuration, you can look for the servlet definition related to write operations and check if it is enabled. This might involve checking for specific parameters or flags that indicate whether write operations are allowed.
If you do not have access to the server configuration, you may need to contact your system administrator or the person responsible for managing the Yellowfin server to verify this information.
Hope this helps, let me know if you need anything additionally here.
Thanks,
Eric
Hi Eric.
I did the Yellowfin installation so I have access to the server, but I need specific directions to get the answer I need.
Which settings?
Which one? This ...\appserver\webapps\ROOT\WEB-INF\web.xml or this one: ...\appserver\conf\web.xml
I didn't changed nothing. It is as it was installed.
Some words missing here?
I have access.
web.xml? Other?
Which ones? Which value configured to these parameters/flags means that it is configured as read only? Which value configured to these parameters/flags means that it is configured with write permissions?
In the case those parameters/flags doesn't exit in the file. Does it means it allows write operations?
Sorry for the long post, but I need a step-by-step, with everything, in order to get the answer I need. If the answer is inside a file, this includes the path for the file, the name of the file, and what to search for in that file (the parameter, the meaning of the value configured, or if the parameter is missing what that means).
Thank you.
Bets regards,
Tiago
Hi Eric.
I did the Yellowfin installation so I have access to the server, but I need specific directions to get the answer I need.
Which settings?
Which one? This ...\appserver\webapps\ROOT\WEB-INF\web.xml or this one: ...\appserver\conf\web.xml
I didn't changed nothing. It is as it was installed.
Some words missing here?
I have access.
web.xml? Other?
Which ones? Which value configured to these parameters/flags means that it is configured as read only? Which value configured to these parameters/flags means that it is configured with write permissions?
In the case those parameters/flags doesn't exit in the file. Does it means it allows write operations?
Sorry for the long post, but I need a step-by-step, with everything, in order to get the answer I need. If the answer is inside a file, this includes the path for the file, the name of the file, and what to search for in that file (the parameter, the meaning of the value configured, or if the parameter is missing what that means).
Thank you.
Bets regards,
Tiago
Hi Tiago,
Yellowfin server is configured to be able to write to the SQL server it is installed on. This is by default. The configuration DB needs to be updated along with content and configuration changes. There is no parameter that defines this in either web.xml by default. Clients can implement their own tomcats and JDBC connections, which can set this "read-only" switch differently depending on the implementation. Hope this helps, let me know if you have any additional questions.
Thanks,
Eric
Hi Tiago,
Yellowfin server is configured to be able to write to the SQL server it is installed on. This is by default. The configuration DB needs to be updated along with content and configuration changes. There is no parameter that defines this in either web.xml by default. Clients can implement their own tomcats and JDBC connections, which can set this "read-only" switch differently depending on the implementation. Hope this helps, let me know if you have any additional questions.
Thanks,
Eric
Hi Eric.
Thank you for your explanations.
Best regards,
Tiago
Hi Eric.
Thank you for your explanations.
Best regards,
Tiago
Hi Tiago,
Thanks for the reply, I'll go ahead and mark this question as Answered at this time, feel welcome to reach out in the future.
Thanks,
Eric
Hi Tiago,
Thanks for the reply, I'll go ahead and mark this question as Answered at this time, feel welcome to reach out in the future.
Thanks,
Eric
Replies have been locked on this page!