ArcGIS Data Store : Getting vulnerability error for Tomcat

jfmssupport · ‎05-30-2022

Hi Admin,

I am using ESRI enterprise suit 10.7.x including Geo-event Server.

Out IT admin found that an older version of Tomcat for ArcGIS Data Store gives a vulnerability alert.

Based on ESRI documentation found that :

1. Not possible to update only tomcat in ArcGIS Data Store

2. Need to update the entire data storage

3. Let's say if we update only tomcat then it might give an error for Geo-event Server

Attached is a screenshot for more details.

Kindly check and let us know the further steps and the best approach.

Thanks for the support.

Scott_Tansley · ‎05-30-2022

ArcGIS Enterprise is built of a number of software building blocks like tomcat, Java, log4J. The wider ArcGIS code is dependent upon those versions and so they are implemented by Esri within all AGE components as a BlackBox. Attempting to upgrade them, other than via ArcGIS upgrades would be risky and invalidate your support.

the best (only) way to upgrade tomcat (or any other sub component) within ArcGIS Enterprise is a full software upgrade to 10.9.1.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

View solution in original post

Scott_Tansley · ‎05-30-2022

ArcGIS Enterprise is built of a number of software building blocks like tomcat, Java, log4J. The wider ArcGIS code is dependent upon those versions and so they are implemented by Esri within all AGE components as a BlackBox. Attempting to upgrade them, other than via ArcGIS upgrades would be risky and invalidate your support.

the best (only) way to upgrade tomcat (or any other sub component) within ArcGIS Enterprise is a full software upgrade to 10.9.1.

Scott Tansley
https://www.linkedin.com/in/scotttansley/

lpertovt · ‎07-20-2023

Hi @Scott_Tansley I am facing the same issue: Tenable is alerting about vulnerabilities on our 10.6.1 Enterprise deployment.

Two Questions:

1- Is there documentation supporting/explaining how patches remove/mitigate Tomcat vulnerabilities? I would like to see something similar to the log4j one (we used this one to request an exception with our Security team: https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2....

2- You suggested updating to Enterprise 10.9.1: which version of Tomcat is deployed with that ArcGIS version? I could not fin online a relation Enterprise version <=> Tomcat version.

Cheers!

Luis

Scott_Tansley · ‎07-20-2023

Esri don't publish the version of Tomcat that is in use. It's black boxed and effectively becomes Esri ArcGIS Enterprise 10.9.1. Given the age of this discussion, you may want to consider 11.1 instead of 10.9.1...

Sorry, I'm being blunt because I'm under the pump, but given you're running 10.6.1, I would personally be less bothered about Tomcat version and more bothered about the fact that all support for 10.6.1 stops on 31/12/2023. You'll have an unsupported version from 1 January 24...

https://support.esri.com/en-us/products/arcgis-enterprise/life-cycle

Scott Tansley
https://www.linkedin.com/in/scotttansley/

lpertovt · ‎07-20-2023

Thanks for your suggestion. However, 11.x is not compatible with some tools and configurations on our system. We have already plans for an upgrade, and the January deadline is not a concern, but the Tomcat vulnerabilities are.

Do you know if installing 10.9.1, Tenable will still report Tomcat vulnerabilities?

Scott_Tansley · ‎07-20-2023

I can't say if a third-party piece of monitoring will or will not. Like an anti-virus the signatures change regularly, and I guess tenable would use a similar regular update process? Sorry. Vulnerabilities change over time and so if I said it's okay today, it could report tomorrow. 10.9.1 is nearly 2 years old now, so there is a chance that it could report in the not-too-distant future.

Scott Tansley
https://www.linkedin.com/in/scotttansley/