+18Hello
Our security scan has detected a vulnerability against the version of Apache Tomcat installed.
The Web server installed on the remote host is prior to 9.0.48. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.48_security-9 advisory.
Tomcat Release-Notes: 9.0.44
FME Server Build: FME Server 2021.1.1 / Build 21619 - win64
Thanks
Sameer
Best answer by chrisatsafe
Hi @sameer ,
Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.
If you would prefer to provide your own web application server see the documentation.
+2Hi @sameer ,
Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.
If you would prefer to provide your own web application server see the documentation.
+18Hi @sameer ,
Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.
If you would prefer to provide your own web application server see the documentation.
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @sameer ,
Yes, FME Server 2021.2.0 will use Tomcat 9.0.52. The release date for this version is early November.
Please also note that our developers have reviewed CVE-2021-33037 and they determined that this is an esoteric exploit that needs multiple vectors to be exploitable, notably there must be a load balancer running in front of tomcat that is some other service. Therefore if you do not use a LB, this vulnerability will not be applicable to an FME Server 2021.1 install.
+18Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @hollyatsafe
Thanks so much for this useful information.
+2Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @hollyatsafe ,
for now seems that Tomcat 9.0.52 has none vulnerabilities as reported here:
https://www.cvedetails.com/version/666705/Apache-Tomcat-9.0.52.html
Andrea
+12Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Hi @afavaccio ,
According to this, not anymore: https://www.cvedetails.com/cve/CVE-2021-42340/
+18Hi @chrisatsafe
Thanks for providing the third-party component versions web link which I did not know about.
We are currently going through our annual pen tests hence the query.
I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.
Thanks
Sameer
Thanks for the follow up. Hopefully with the the 2022 version and a newly packaged Tomcat, we won't have to worry about this anymore.
Nevertheless, this updated article will be useful as we have other Tomcat servers to look after.
