Applications Manager and Tomcat vulnerability CVE-2024-50379 | CVE-2024-54677 | CVE-2024-56337
search cancel

Applications Manager and Tomcat vulnerability CVE-2024-50379 | CVE-2024-54677 | CVE-2024-56337

book

Article ID: 397063

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

Applications Manager(AM) version 9.4+ packages and uses Apache Tomcat.

Is Apache Tomcat vulnerable to CVE-2024-50379 | CVE-2024-54677 | CVE-2024-56337

Environment

Applications Manager version 9.4+

Resolution

For Applications Manager 9.4 - 9.4.4 HF2:

Upgrade to Tomcat version 10.1.40 or higher. If needed, refer to Upgrading or updating Tomcat.


For Applications Manager 9.5 - 9.5.3:

Upgrade to Tomcat version 10.1.40 or higher. If needed, refer to Upgrading or updating Tomcat.
Upgrade to Tomcat version 11.0.6 or higher. If needed, refer to Upgrading or updating Tomcat. (NOTE - REQUIRES JAVA 17 or OpenJDK 17)


For Applications Manager 9.6:

Applications Manager includes a integrated webserver based on Tomcat. However, this is the not full Tomcat application since Applications Manager only uses a number of Tomcat libraries provided by the Spring framework.

With this usage, while the integrated webserver is vulnerable to CVE-2024-50379, CVE-2024-54677, CVE-2024-56337 it is NOT exploitable as the necessary condition will never be satisfied. 

Any Tomcat library being flagged by your scanning tool will need to be whitelisted

Powered by Wolken Software