+10
Hello
Our security scan has detected a vulnerability against the version of Apache Tomcat installed.
The Web server installed on the remote host is prior to 9.0.48. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.48_security-9 advisory.
Tomcat Release-Notes: 9.0.44
FME Server Build: FME Server 2021.1.1 / Build 21619 - win64
Thanks
Sameer
Best answer by chrisatsafe
View original
+2
Hi @sameer ,
Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.
If you would prefer to provide your own web application server see the documentation.
+10
Hi @sameer ,
Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.
If you would prefer to provide your own web application server see the documentation.
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
+2
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @sameer ,
Yes, FME Server 2021.2.0 will use Tomcat 9.0.52. The release date for this version is early November.
Please also note that our developers have reviewed CVE-2021-33037 and they determined that this is an esoteric exploit that needs multiple vectors to be exploitable, notably there must be a load balancer running in front of tomcat that is some other service. Therefore if you do not use a LB, this vulnerability will not be applicable to an FME Server 2021.1 install.
+10
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @hollyatsafe
Thanks so much for this useful information.
+2
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @hollyatsafe ,
for now seems that Tomcat 9.0.52 has none vulnerabilities as reported here:
https://www.cvedetails.com/version/666705/Apache-Tomcat-9.0.52.html
Andrea
+7
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @afavaccio ,
According to this, not anymore: https://www.cvedetails.com/cve/CVE-2021-42340/
+10
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Thanks for the follow up. Hopefully with the the 2022 version and a newly packaged Tomcat, we won't have to worry about this anymore.
Nevertheless, this updated article will be useful as we have other Tomcat servers to look after.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
