https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575700#M41399 <P>Hi,</P><P>We have ARCGIS Server 11.3 deployed in Production environment and recently the Cybersecurity Department flagged a vulnerability presence.</P><P><STRONG>Vulnerability</STRONG> Details -&nbsp;</P><P><STRONG>CVE-2024-56337</STRONG>: <STRONG>Apache Tomcat Patches Critical Remote Code Execution Vulnerability</STRONG> (Update Apache Tomcat )-&nbsp;The vulnerability stems from an incomplete mitigation of previous vulnerability (CVE-2024-50379). The flaw is exploitable on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, attackers can bypass security measures and upload malicious JSP files, leading to remote code execution. Exploitation of this vulnerability enables attackers to execute arbitrary code on the affected server, potentially granting them complete control over the system.</P><P><STRONG>Installed</STRONG> <STRONG>Version</STRONG> -</P><P><SPAN><STRONG>Apache Tomcat -&nbsp;9.0.84.0 (ArcGIS 11.3) (Affected Version).</STRONG></SPAN></P><P><STRONG>Product Affected Versions&nbsp;<BR />Apache Tomcat<BR />11.0.0-M1 to 11.0.1<BR />10.1.0-M1 to 10.1.33<BR />9.0.0.M1 to 9.0.97</STRONG></P><P><STRONG>Fixed Tomcat Versions -<BR />11.0.2 or later<BR />10.1.34 or later<BR />9.0.98 or later</STRONG></P><P><STRONG>Similar Post (</STRONG>but without any solution)<STRONG> -&nbsp;&nbsp;</STRONG><A href="https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/td-p/1078440/page/2" target="_blank" rel="noopener">https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/td-p/1078440/page/2</A></P><P>We planned to fix this but came to understand from the above Post that even if try upgrading the Production Environment to ArcGIS Enterprise 11.4 the Apache Tomcat Version Embedded comes with vulnerable version -&nbsp;<SPAN>&nbsp;Apache Tomcat -9.0.93.</SPAN></P><P><SPAN>This issue of Apache Tomcat needs a Patch from ESRI for the&nbsp; ArcGIS Enterprise 11.3 and 11.4 versions as well.</SPAN></P> Wed, 15 Jan 2025 04:23:18 GMT vipulsoni 2025-01-15T04:23:18Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575700#M41399 <P>Hi,</P><P>We have ARCGIS Server 11.3 deployed in Production environment and recently the Cybersecurity Department flagged a vulnerability presence.</P><P><STRONG>Vulnerability</STRONG> Details -&nbsp;</P><P><STRONG>CVE-2024-56337</STRONG>: <STRONG>Apache Tomcat Patches Critical Remote Code Execution Vulnerability</STRONG> (Update Apache Tomcat )-&nbsp;The vulnerability stems from an incomplete mitigation of previous vulnerability (CVE-2024-50379). The flaw is exploitable on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, attackers can bypass security measures and upload malicious JSP files, leading to remote code execution. Exploitation of this vulnerability enables attackers to execute arbitrary code on the affected server, potentially granting them complete control over the system.</P><P><STRONG>Installed</STRONG> <STRONG>Version</STRONG> -</P><P><SPAN><STRONG>Apache Tomcat -&nbsp;9.0.84.0 (ArcGIS 11.3) (Affected Version).</STRONG></SPAN></P><P><STRONG>Product Affected Versions&nbsp;<BR />Apache Tomcat<BR />11.0.0-M1 to 11.0.1<BR />10.1.0-M1 to 10.1.33<BR />9.0.0.M1 to 9.0.97</STRONG></P><P><STRONG>Fixed Tomcat Versions -<BR />11.0.2 or later<BR />10.1.34 or later<BR />9.0.98 or later</STRONG></P><P><STRONG>Similar Post (</STRONG>but without any solution)<STRONG> -&nbsp;&nbsp;</STRONG><A href="https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/td-p/1078440/page/2" target="_blank" rel="noopener">https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/td-p/1078440/page/2</A></P><P>We planned to fix this but came to understand from the above Post that even if try upgrading the Production Environment to ArcGIS Enterprise 11.4 the Apache Tomcat Version Embedded comes with vulnerable version -&nbsp;<SPAN>&nbsp;Apache Tomcat -9.0.93.</SPAN></P><P><SPAN>This issue of Apache Tomcat needs a Patch from ESRI for the&nbsp; ArcGIS Enterprise 11.3 and 11.4 versions as well.</SPAN></P> Wed, 15 Jan 2025 04:23:18 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575700#M41399 vipulsoni 2025-01-15T04:23:18Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575708#M41403 <P>I believe this post will address your concerns.&nbsp;<A href="https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1574838/highlight/true#M41383" target="_blank">https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1574838/highlight/true#M41383</A></P><P>The very last comment references the CVE you are concerned about (although you'll need to read the entire thread for the full explanation).</P> Wed, 15 Jan 2025 04:44:02 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575708#M41403 RyanUthoff 2025-01-15T04:44:02Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575975#M41421 <P>Where would one go on a computer (server) with ArcGIS Server installed to find out the version of&nbsp;<SPAN>Apache Tomcat?</SPAN></P><P><SPAN>Can this be found in Control Panel as I do not see mention of Apache Tomcat software there?</SPAN></P> Wed, 15 Jan 2025 20:56:46 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575975#M41421 MikeVolz 2025-01-15T20:56:46Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575984#M41422 <P>It is in the link in the original post:&nbsp;<A href="https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/m-p/1557532/highlight/true#M40954" target="_blank">https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcgis/m-p/1557532/highlight/true#M40954</A></P><P>&nbsp;</P> Wed, 15 Jan 2025 21:12:53 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575984#M41422 George_Thompson 2025-01-15T21:12:53Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575989#M41423 <P>George:</P><P>The original post in this thread says:</P><P><STRONG>Product Affected Versions&nbsp;<BR />Apache Tomcat<BR />11.0.0-M1 to 11.0.1<BR />10.1.0-M1 to 10.1.33<BR />9.0.0.M1 to 9.0.97</STRONG></P><P><STRONG>I ran version.bat on my server and it returned 9.0.84.0 which appears to be within the affected range.</STRONG></P><P><STRONG>As such how does one get an upgraded Apache Tomcat version?</STRONG></P> Wed, 15 Jan 2025 21:22:04 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1575989#M41423 MikeVolz 2025-01-15T21:22:04Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1576304#M41424 <P>Tomcat can be separately downloaded from APACHE and can be updated in the ArcGIS Server installation directory, but this is not at all recommended from ESRI. it might lead system instability issues.</P><P><A href="https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1570749/highlight/true#M41280" target="_blank">https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1570749/highlight/true#M41280</A></P> Thu, 16 Jan 2025 08:36:37 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1576304#M41424 vipulsoni 2025-01-16T08:36:37Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1576344#M41426 <P>As&nbsp;<a href="https://community.esri.com/t5/user/viewprofilepage/user-id/2853">@vipulsoni</a>&nbsp;said, this is not a supported / recommended path. Please see the comment from&nbsp;<a href="https://community.esri.com/t5/user/viewprofilepage/user-id/2892">@RandallWilliams</a>&nbsp;here:&nbsp;<A href="https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1573139/highlight/true#M41337" target="_blank">https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379/m-p/1573139/highlight/true#M41337</A><BR /><BR />I would highly recommend you go over to the&nbsp;<A href="https://trust.arcgis.com/en/" target="_blank">https://trust.arcgis.com/en/</A>&nbsp;site and look at the documentation there related to this CVE.</P> Thu, 16 Jan 2025 13:00:45 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1576344#M41426 George_Thompson 2025-01-16T13:00:45Z https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1610106#M42120 <P>Don't do this. You will break ArcGIS Enterprise and make it LESS secure, not MORE secure. An in place upgrade of the embedded Tomcat is NOT the solution and is completely unsupported.&nbsp;</P> Tue, 29 Apr 2025 17:45:13 GMT https://community.esri.com/t5/arcgis-enterprise-questions/arcgis-server-embedded-apache-tomcat-server/m-p/1610106#M42120 RandallWilliams 2025-04-29T17:45:13Z