Our security team found several security vulnerabilities with the version of Apache Tomcat deployed with WCC version 12.0.
The outstanding CVEs are CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-13943, CVE-2020-17527, CVE-2020-9484, CVE-2021-24122, CVE-2021-25122 & CVE-2021-25329.
We show that WCC is currently using Apache Tomcat version 9.0.33 and the security finding is requiring version 9.0.43 or higher
If we upgrade our version of WCC from 12.0 to 12.0 SP1, will this resolve this issue?
Broadcom does not test each minor version of the third-party software.
As such the Tech Docs documentation will not be updated for each new 3rd party release
For Tomcat we support updating to the latest version within the same release
IE from 9.0.33 to 9.0.XX
We do not support going to a new version such as 11.
The Tomcat version is usually updated to a newer / latest release with each FULL GA version.
In between GA release client can follow the documentation to update the Tomcat independently.
Both WCC 12.0 and 12.0 SP1 versions are provided with the Apache Tomcat 9.0.33 version.
The recommended solution will be to upgrade Apache Tomcat from 9.0.33 to 9.0.43 or higher.
You can consult the following documentation page for detailed information on Tomcat upgrade both for AutoSys and for Web UI (WCC) :
Upgrade Tomcat Version for AutoSys (and WCC)
EEM uses a proprietary web server written by Broadcom
It does not use an OEM web server.
EEM does not use Tomcat so is not affected by Tomcat Vulnerabilities.
Tomcat can be downloaded from the Official Apache Tomcat website.