Re: Apache Tomcat Upgrade beyond 9.0.96

AnoopKrishnan · ‎03-06-2025

Any idea we can upgrade the Apache Tomcat beyond 9.0.96, as of now i have installed the ES56 on the Rogger, AW and PG's. Still we are hitting the following critical vulnerabilities.

Apache Tomcat: Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - (CVE-2024-56337)
Apache Tomcat: Important: Remote Code Execution via write enabled Default Servlet (CVE-2024-50379)
Apache Tomcat: Low: DoS in examples web application (CVE-2024-54677)
Apache Tomcat Example Scripts Information Leakage

Remediating this would require Apache 9.098 or 9.0.99. I have already tried updating these versions using the Upgrade Apache Tomcat Tool, but no luck.

UCCE Version - 12.6.2 (4K)

Vulnerability Scanning Tool - Rapid7

bill.king1 · ‎03-07-2025

You may want to check out this defect for some requirements apparently if you want to go to newer versions than what you have listed, looks like certain ES are required for instance.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk81097
If it still doesn't work if you have those already, then at least you can leverage this defect with a TAC case.
Hope this helps, please rate helpful posts.

AnoopKrishnan · ‎03-07-2025

Thanks Bill,

I have already installed the ES56 using the above Bug report. Unfortunately it can only upgrade the Apache Tomcat up to 9.0.96. I even have a TAC case running, will know the update about this.

bill.king1 · ‎03-07-2025

If you're engaging them, you may also want to ask them about this one too, since it specifically talks about Apache and that ES56.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo34611
Please let us know what the end result is.

AnoopKrishnan · ‎03-07-2025

Sure, Bill

I would ask them about the caveat. Thank you for sharing.