AnsweredAssumed Answered

Tomcat Security Vulnerabilities

Question asked by GWei_At_Wells on May 4, 2017

My question involves the version of Tomcat bundled into the latest versions of the ArcGIS Server and Portal products (7.x.x.x).

      I am new to supporting ArcGIS for my employer, and have come into the picture after a failed attempt to update Tomcat on our ArcGIS server.   This broke ArcGIS completely.  Today, we are in process of reinstalling "Server" and "Portal", federation, and the whole enchilada - it has been a disaster.

     My employer runs Qualys scans internally - scans which pick up vulverable software versions (windows patches needed or old versions of Java, even outdated versions of Tomcat!)

     We try to make sure we are not running software which is known to have security problems.  Here at the Bank, my job is to find ways to update everything to latest versions if possible.  The lowest or oldest version of Tomcat that our bank will support is 8.5.15

     **MY QUESTION: Is it possible for the DEV team at ESRI to drop in (at least) Tomcat 8.5.15 into a TEST build (bundle or compile the installer with the latest -- or at least 8.5.15) and see if that would work just as well as 7.x.x.x?

    Please consider carving out some time to test out a modified installer package for me.  I really would like to know if it would be that painful for the DEV team to give it a try.

 

Thanks in advance,

Greg Wei, Wells Fargo Bank (San Francisco)

Outcomes