Skip to main content

Hello

 

Our security scan has detected a vulnerability against the version of Apache Tomcat installed.

The Web server installed on the remote host is prior to 9.0.48. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.48_security-9 advisory.

 

Tomcat Release-Notes: 9.0.44

FME Server Build: FME Server 2021.1.1 / Build 21619 - win64

 

Thanks

Sameer

Hi @sameer​ ,

 

Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.

 

If you would prefer to provide your own web application server see the documentation


Hi @sameer​ ,

 

Correct, FME Server 2021.1 comes with Tomcat 9.0.44 as mentioned on the third-party component versions for FME Server article.

 

If you would prefer to provide your own web application server see the documentation

Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer


Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer

Hi @sameer​ ,

 

Yes, FME Server 2021.2.0 will use Tomcat 9.0.52. The release date for this version is early November.

 

Please also note that our developers have reviewed CVE-2021-33037 and they determined that this is an esoteric exploit that needs multiple vectors to be exploitable, notably there must be a load balancer running in front of tomcat that is some other service. Therefore if you do not use a LB, this vulnerability will not be applicable to an FME Server 2021.1 install.

 


Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer

Hi @hollyatsafe​ 

 

Thanks so much for this useful information.

 


Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer

Hi @hollyatsafe​ ,

for now seems that Tomcat 9.0.52 has none vulnerabilities as reported here:

https://www.cvedetails.com/version/666705/Apache-Tomcat-9.0.52.html

 

Andrea

 


Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer

Hi @afavaccio​ ,

According to this, not anymore: https://www.cvedetails.com/cve/CVE-2021-42340/


Hi @chrisatsafe​ 

 

Thanks for providing the third-party component versions web link which I did not know about.

We are currently going through our annual pen tests hence the query.

I assume here that 2021.2 will come pre-packaged with a higher version of Tomcat according to the article.

 

Thanks

Sameer

Thanks for the follow up. Hopefully with the the 2022 version and a newly packaged Tomcat, we won't have to worry about this anymore.

Nevertheless, this updated article will be useful as we have other Tomcat servers to look after.


Reply