upgrading Apache Tomcat to avoid known fixed vulnerabilities
Article ID: 107928
Updated On:
Products
CA Service Management - Asset Portfolio Management
CA Service Management - Service Desk Manager
Issue/Introduction
The CA Service Management solution uses Apache Tomcat. Announcements of newly discovered or newly fixed vulnerabilities occur regularly.
For example, the following issue was reported publicly on 6 April 2018 and formally announced as a vulnerability on 22 July 2018.
Title: CVE-2018-1336 Apache Tomcat - Denial of Service
Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service
Affects: 7.0.28 to 7.0.88; 8.5.0 to 8.5.30
Are the Tomcat releases listed in the CA Service Management Supportability Matrix the only releases that are supported?
Environment
CA Service Management 17.1
Resolution
The current point versions of Tomcat are supported as per the following statements in the documentation:
For example, at the time of writing this knowledge article:
Note: CA Service Management supports service packs and point releases not necessarily noted on this matrix as long as the problem reported is reproducible with versions that are listed on the support matrix.
CA Technologies reserves the right to refuse support of new point releases should the reported problem require a major redesign to function properly. If the resolution to a problem is determined to be outside the realm of CA Support responsibilities, they may ask that you escalate your request for certification to your local account team.
CA Technologies reserves the right to refuse support of new point releases should the reported problem require a major redesign to function properly. If the resolution to a problem is determined to be outside the realm of CA Support responsibilities, they may ask that you escalate your request for certification to your local account team.
For example, at the time of writing this knowledge article:
- The Third-Party Common Components section of the Supportability Matrix showed the following support for Apache Tomcat:
| CA SDM | CA Service Catalog | CA APM | USS | xFlow Analyst Interface |
| (8.5.6) | (8.5.6) | (8.5.6) | (7.0.40) | NA |
- For Tomcat 7, current point version is 7.0.90; for Tomcat 8.5, current point version is 8.5.32. Both of these point versions include a fix to vulnerability CVE-2018-1336. (Note: Version 8.5.32 also contains a fix to CVE-2018-8037; there does not yet appear to be a fix to that yet in 7.0.xx.)
Additional Information
https://docops.ca.com/ca-service-management/17-1/en/ca-service-management-17-1-release-notes/supportability-matrix
https://tomcat.apache.org/download-70.cgi
https://tomcat.apache.org/download-80.cgi
Please also review the following enhancement Idea in CA Communities:
Title: Add support for the recent version of Tomcat 9.x and JRE 10.x
https://communities.ca.com/ideas/235740460-add-support-for-the-recent-version-of-tomcat-9x-and-jre-10x
https://tomcat.apache.org/download-70.cgi
https://tomcat.apache.org/download-80.cgi
Please also review the following enhancement Idea in CA Communities:
Title: Add support for the recent version of Tomcat 9.x and JRE 10.x
https://communities.ca.com/ideas/235740460-add-support-for-the-recent-version-of-tomcat-9x-and-jre-10x
Feedback
Yes
No
Powered by
