Does Apache Tomcat come embedded with ArcGIS Enterprise Installation?

MichaelTorbett · ‎07-13-2021

I have ArcGIS Enterprise 10.6.1 installed on a virtual machine with a Windows IIS Web Adapter. My network administrator recently did a security scan that shows an old version of Apache Tomcat. It either needs to be upgraded or uninstalled to be is compliance with my agency's security policy. However, I cannot find any evidence of it being installed. Does Apache Tomcat come embedded with ArcGIS Enterprise?

Thanks,

Michael

alexanderzitzmann · ‎12-10-2024

Gibt es hier schon Erkenntnisse, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52316 wird bei uns als kritisch eingestuft.

JoshuaBixby · ‎12-10-2024

ArcGIS Enterprise 11.4.0 has Apache Tomcat/9.0.93

vipulsoni · ‎01-14-2025

Hi @JoshuaBixby ,

As per Apache Tomcat (https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r) it seems the ArcGIS Enterprise 11.4.0 is also having Vulnerable Version of embedded Tomcat installed. There are no patches from ESRI yet for this issue.

alexanderzitzmann · ‎01-14-2025

i downloaded latest apache-tomcat and replaced it at framework/runtime/tomcat/lib, testet on 11.2 linux, no problems so far.

George_Thompson · ‎01-15-2025

I would go over and review this CVE on the Trust | ArcGIS site. There may be some information on this.

Also read this thread about updating tomcat outside of the ArcGIS software upgrade / patches: https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...

--- George T.

JoshuaBixby · ‎01-15-2025

As covered in Apache Tomcat vulnerability CVE-2024-50379 - Esri Community , the vulnerability is not applicable to ArcGIS Server I do not expect Esri to release a patch.