We have detected vulnerabilities on Tomcat for Jaspersoft . Please review and let me know remediation.
Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
Apache Tomcat have the documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks
Apache Tomcat 10.1.0-M1 to 10.1.0-M14
Apache Tomcat 10.0.0-M1 to 10.0.20
Apache Tomcat 9.0.13 to 9.0.62
Apache Tomcat 8.5.38 to 8.5.78
QID Detection Logic (Unauthenticated):
The QID checks for vulnerable version by sending a GET /QUALYS730242 HTTP/1.0 request which helps in retrieving the installed version of Apache Tomcat in the banner of the response.
Upgrade to the Apache Tomcat to the latest version of Apache Tomcat. Please refer to Apache Tomcat Security Advisory.
Following are links for downloading patches to fix the vulnerabilities:
CA Bussines intelligence version 7.9.1
Release : 22.2
You would need to install Jasper 7.9.2 which is supported with NetOps release 22.2.1 and above:
Support for CA Business Intelligence 7.9.2
This release supports CA Business Intelligence (CABI) 7.9.2. The CABI 7.9.2 version includes the following enhancements:
Apache Tomcat is now upgraded to the 8.5.81 version.
OpenJDK is now upgraded to the 1.8.0_332-b09 version.