Hi,
We have ARCGIS Server 11.3 deployed in Production environment and recently the Cybersecurity Department flagged a vulnerability presence.
Vulnerability Details -
CVE-2024-56337: Apache Tomcat Patches Critical Remote Code Execution Vulnerability (Update Apache Tomcat )- The vulnerability stems from an incomplete mitigation of previous vulnerability (CVE-2024-50379). The flaw is exploitable on case-insensitive file systems where Tomcat’s default servlet has write functionality enabled. By manipulating specific paths, attackers can bypass security measures and upload malicious JSP files, leading to remote code execution. Exploitation of this vulnerability enables attackers to execute arbitrary code on the affected server, potentially granting them complete control over the system.
Installed Version -
Apache Tomcat - 9.0.84.0 (ArcGIS 11.3) (Affected Version).
Product Affected Versions
Apache Tomcat
11.0.0-M1 to 11.0.1
10.1.0-M1 to 10.1.33
9.0.0.M1 to 9.0.97
Fixed Tomcat Versions -
11.0.2 or later
10.1.34 or later
9.0.98 or later
Similar Post (but without any solution) - https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcg...
We planned to fix this but came to understand from the above Post that even if try upgrading the Production Environment to ArcGIS Enterprise 11.4 the Apache Tomcat Version Embedded comes with vulnerable version - Apache Tomcat -9.0.93.
This issue of Apache Tomcat needs a Patch from ESRI for the ArcGIS Enterprise 11.3 and 11.4 versions as well.
I believe this post will address your concerns. https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...
The very last comment references the CVE you are concerned about (although you'll need to read the entire thread for the full explanation).
Where would one go on a computer (server) with ArcGIS Server installed to find out the version of Apache Tomcat?
Can this be found in Control Panel as I do not see mention of Apache Tomcat software there?
It is in the link in the original post: https://community.esri.com/t5/arcgis-enterprise-questions/does-apache-tomcat-come-embedded-with-arcg...
George:
The original post in this thread says:
Product Affected Versions
Apache Tomcat
11.0.0-M1 to 11.0.1
10.1.0-M1 to 10.1.33
9.0.0.M1 to 9.0.97
I ran version.bat on my server and it returned 9.0.84.0 which appears to be within the affected range.
As such how does one get an upgraded Apache Tomcat version?
Tomcat can be separately downloaded from APACHE and can be updated in the ArcGIS Server installation directory, but this is not at all recommended from ESRI. it might lead system instability issues.
As @vipulsoni said, this is not a supported / recommended path. Please see the comment from @RandallWilliams here: https://community.esri.com/t5/arcgis-enterprise-questions/apache-tomcat-vulnerability-cve-2024-50379...
I would highly recommend you go over to the https://trust.arcgis.com/en/ site and look at the documentation there related to this CVE.