Is WAR files kept in webapps folder is required post installation?

[Madhavan TR]

Background: We are using WEBFOCUS 82. Recently, when we ran vulnerability scan, we noticed the vulnerability "Vmware Spring: CVE-2022-22965: Spring Framework RCE via Data Binding" pointed to below files.

Action planned: We thought to keep below war files out of production server. This is with an assumption that below WAR files required only during redployment.

Query: Please suggest whether below WAR files can be moved out of production server or not. Thank you!!

<installation directory>webappswebfocus.war

<installation directory>webappswebfocus.war

<installation directory>worpcomponentsopsjsr168ops.war

<installation directory>webappsops286.war

<installation directory>webappsops286.war

[Patrick Huebgen]

Those war files are one of they ways to deploy WebFOCUS - if they are in use depends on how you deployed WebFOCUS.

Are you using the war files in you AppServer Config.

Which version of WebFOCUS are you using?

Regarding CVE-2022-22965 - please check

https://support.tibco.com/s/article/TIBCO-WebFOCUS-Releases-8207-28-and-9-0-and-Spring-Framework-Vulnerability

[Patrick Huebgen]

just for clarification - if you confirmed step 4 from above link

4 Open xxx:ibitomcatconfCatalinalocalhostibi_apps.xml. If docBase does not include .war, your testing is complete.

You are safe to delete the war files

[Madhavan TR]

Hi Patrick,

We tried the steps mentioned in the url. We assume, we can safely remove the WAR files out of production server and keep it back up server. Thank you for explanation!!

1. We are using Apache Tomcat (confirmed via HTTP Request info)
2. We are using Java 1.8 (confirmed via JVM Property Info)
3. We are not using war file. (confirmed via ibi_apps.xml)

<?xml version="1.0" encoding="UTF-8"?>

<Context useHttpOnly="true" path="/ibi_apps" docBase="**********ibiWebFOCUS82webappswebfocus"> </Context>

[Patrick Huebgen]

yes this indicates that you are not using the war file and you are save to backup them somewhere else