search cancel

Upgrading Apache Tomcat to Address Vulnerabilities


Article ID: 187052


Updated On:


CA Service Desk Manager CA Service Management - Service Desk Manager


Sometimes vulnerabilities are reported with 3rd Party Components, such as Apache Tomcat.

It may be desirable to upgrade the version of Tomcat to avoid vulnerabilities.


Service Desk Manager 14.1, 17.1, 17.2 and 17.3

All Supported Operating Systems


Basically, Service Desk Manager may be upgraded to use any Tomcat 8.5-based version.  The most current version of Tomcat 8.5 is version 8.5.76 (

There is one general upgrade procedure.  It is the same for all versions of Service Desk Manager with Tomcat.  It is documented as follows in the online product documentation for CA Service Desk Manager 14.1.

The procedure to upgrade Tomcat can be viewed here:

Another scenario to consider is if the Tomcat configuration needs to be updated to address a vulnerability.  This doc link discusses Cross-Site Scripting vulnerabilities and how to address:

In one such instance, a third-party security reporting tool was found to be trying to leverage one of the pdmweb.exe parameters by simulating a malicious code attack.  As such, the correct response was to update the White List pattern by disallowing certain characters to be included in the parameter involved in the attack.  Limiting to only certain characters such as alphanumeric ones would effectively prevent the code attack.

Additional Information

Please test any upgrades for Tomcat in a non-prod instance before attempting in production and be sure to have a rollback plan developed for any production upgrades to Tomcat prior to any such attempt.

Please review the Supportability Matrix for any questions regarding the compatibility and supportability of any components that need to be upgraded:

It is the responsibility of the end-user to work with their security team to determine the nature of the attack, and the associated actions needed to address the issue, which may include an analysis of the nature of the attack, ie if a specific parameter was involved, and how to address based on site requirements.  Support is limited in the amount of assistance it can render when examining and analyzing any third-party reports.