I dont know how many of you are responsible for Tomcat upgr...

[Toby Mills]

I dont know how many of you are responsible for Tomcat upgrades, but Im going through my second round of upgrading this year and figured it might be good to run over both the security vulnerabilities and Ill put up an excel file where Ive tried to generically write down the steps I go through to do an upgrade of Tomcat.

First lets talk about the vulnerabilities and why youd want to go through the exercise of upgrading Tomcat in the first place. Heres a whole list from the Apache Tomcat folks:

Apache Tomcat 8.x vulnerabilities

http://tomcat.apache.org/security-8.html#Apache_Tomcat_8.x_vulnerabilities

I specifically started down this trail with a vulnerability called the Ghostcat vulnerability:

Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938

This meant upgrading to Tomcat 8.5.51. I can get you more info about the rest of this fix if its something youre responsible for. I found this page helpful in ultimately resolving this one:

 

 

Software Integrity Blog 1 Apr 20

 

 

 

 

How to fix the Ghostcat vulnerability (CVE-2020-1938) | Synopsys

 

Ghostcat (CVE-2020-1938) is an Apache Tomcat vulnerability that allows remote code execution in some circumstances. Heres how to find and mitigate it.

 

 

 

 

 

 

 

 

 

 

Here are others that I am most concerned with addressing by upgrading to 8.5.57:

Important: WebSocket DoS CVE-2020-13935

Moderate: HTTP/2 DoS CVE-2020-13934

Obviously most of you who have to do this more often already have a plan for it, but I havent seen a document specific to WebFOCUS so I thought Id make one.

Upgrading Tomcat on Windows.xlsx (4.4 MB)

I realize lots of you run Linux based systems so of course, this might not be super helpful.

Let me bullet point the steps so you can tell that the basics are pretty straight forward.

 

Download the new version of Tomcat you want to install.

Backup the Tomcatconf folder. All the magic that helps tomcat run right in your organization is already in there. It also has the context roots like /ibi_apps etc in there.

Start up Tomcat Manager and get screenshots and copy/paste all the info you can into a document you can refer to later. This is how youll re-configure your new Tomcat to startup and run the same way. Especially watch the Java tab and get that written down.

Uninstall Tomcat

Install new Tomcat

Re-configure tomcat with the things you backed up in step 2.

 

Another security thing I am getting asked about is that the standard landing page is considered taboo. Ive just deleted the tomcatwebappsROOT folder (actually copied it to my backup location and then deleted). I dont know if that will solve my security scan complaints but it should.

Feel free to make the document better however youd like. If youre a unix/linux guy and want to make a version of this document, thatd be great!

Also I think I removed any company specific info in the doc - its all generic. If you see that I missed something, please PM me and Ill update the doc.

Hope some of you find this useful.

Thanks!

Toby Mills, CISSP

[Robert Brown]

Toby,

I appreciate your posting of such good information. I have mutiple systems to update to remove this security flaw and your information made the update much easier and smoother.

Thank you,

Rob

[Robert Kottelenberg]

Will the next release of the WebFOCUS client have the latest version of Tomcat So these vulnerabilities will be fixed in the regular flow of our client updates

[Toby Mills]

No problem Rob

The new 8.5.61 is the current release if youre staying in the 8.5 world. Theres also Tomcat 9 and now Tomcat 10 apparently.

I just used my instructions to go back through 8 machines last week to bring them up to 8.5.61.

Heres a list of the vulnerabilities and fixes for each sub-release of tomcat 8:

http://tomcat.apache.org/security-8.html

We had a scanner (Nessus) that found that I had this vulnerability:

CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

@robert.kottelenberg the new releases do ship with pretty current Tomcats. I checked to see about that a few months ago and it seemed like the product division is keeping a good eye on security changes. The catch is that usually, when you upgrade, Tomcat wont be touched. Remember WebFOCUS runs with all sorts of Web Application servers besides Tomcat. So you may find yourself manually upgrading.

It turns out not to be so hard to do. Takes me about an hour and I do a lot of screenshots.

Essentially its just a matter of backing up your current conf folder and getting screenshots of anything you might want from the tomcat configuration utility. Then just uninstall and reinstall and sync up your files and tomcat settings.

Feel free to hit me up if anybody is having trouble with their Tomcat upgrades.

Toby

[Robert Kottelenberg]

Thanks for the Excel spreadsheet, it is super useful.

Based on my reading of https://kb.informationbuilders.com/topic/supported-web-and-app-servers, only Tomcat 8.5.x is supported, so upgrading to Tomcat 9 or 10 isnt an option.

[Toby Mills]

Glad you like the spreadsheet

Upgrading to Tomcat 9 is allowed according to the link you posted:

 

The 9 just kind of gets lost floating up high like that.

Also, I dont think Tomcat 9 is really that helpful to WebFOCUS. Maybe Im wrong. I think IBI is still shipping with Tomcat 8.5x.

[Toby Mills]

Also, if youre interested in trying to follow the Tomcat programmers, they use a mailing list where I get some of my information. You can subscribe here:

Tomcat Users Mailing List