Forum Discussion

chriswilkes33's avatar
8 months ago

Upgrade tomcat instance

Netbackup 10.4 has a vulnerable version of tomcat running.

I need to patch it (or throw the webserver in the trash since we dont use it anyway but that doesnt seem possible)

I tried downloading the latest version of tomcat 9.0.88 and extracting and putting the files in /usr/openv/wmc/webserver, netbackup starts. I am able to query and see tomcat version 9.0.88 is in place but the vulnerability tool still shows 9.0.85 as the version installed. I am wondering if there is a documented way to upgrade the tomcat server?
I have found several VOX articles about it, but none really new and Im not sure netbackup supports those methods.

/usr/openv/java/jre/bin/java -cp /usr/openv/wmc/webserver/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.88
Server built: Apr 9 2024 13:22:30 UTC
Server number: 9.0.88.0
OS Name: Linux
OS Version: 4.18.0-513.24.1.el8_9.x86_64

  • Hi chriswilkes33 

    I recently checked and there are EEBs available for various NetBackup versions to address the Tomcat vulnerabilities covers by those two CVEs.
    ET 4158486 NetBackup 10.4
    ET 4158024 NetBackup 10.3.0.1
    ET 4157810 NetBackup 10.2.0.1
    ET 4157630 NetBackup 10.1.1.
    ET 4157838 NetBackup 10.0.0.1

    I included information for earlier NetBackup version which may help others. Log a support case and request the fix (via the ET number) for the relevant NetBackup version.

    Cheers
    David

  • Hi chriswilkes33 

    Patching the individual components of NetBackup is not recommended nor supported. My suggestion is to open a support case with Veritas and request more information about the vulnerability you are concerned about. 

    It is possible (as has happened with other security advisories), that the way tomcat is used and configured in NetBackup is not affected by the vulnerability. 

    Tomcat is used by the web services module in NetBackup, so if you remove it, NetBackup will break.

    Do you have the CVE related to this issue or more details?

    David

    • chriswilkes33's avatar
      chriswilkes33
      Level 3

      Hi, I assumed there would be something like the nbcomponentupdate tool for the JRE.This particular vulnerability is found in CVE-2024-23672 and CVE-2024-24549. 

      Unfortunately our auditors care more about vulnerability software flagging vulnerabilities than whether or not we are actually vulnerable, so I dont have a choice but to find a way to make the vulnerability disappear from our vulnerability management software.

      Thanks for the reply,

      Chris

       

      • davidmoline's avatar
        davidmoline
        Level 6

        Hi chriswilkes33 

        Given these security notices were only release on Apr 25, I go back to my initial suggestion to log a support case to request analysis (this may already be in progress - I don't have visibility). They may also be able to help you address the issue.

        David

         

         

    • davidmoline's avatar
      davidmoline
      Level 6

      Hi chriswilkes33 

      The two places to go are, first https://www.veritas.com/support/en_US/security to see if the alert is listed. If it is not there, then a support call is required to ask about the issue and see if there is a fix available, in progress, or not required.

      In this particular case, I was looking at internal sites not available to the public, so it will not help you in the future. 

      Cheers
      David