Solved: Upgrade tomcat instance

chriswilkes33 · 2 weeks ago

Netbackup 10.4 has a vulnerable version of tomcat running.

I need to patch it (or throw the webserver in the trash since we dont use it anyway but that doesnt seem possible)

I tried downloading the latest version of tomcat 9.0.88 and extracting and putting the files in /usr/openv/wmc/webserver, netbackup starts. I am able to query and see tomcat version 9.0.88 is in place but the vulnerability tool still shows 9.0.85 as the version installed. I am wondering if there is a documented way to upgrade the tomcat server?
I have found several VOX articles about it, but none really new and Im not sure netbackup supports those methods.

/usr/openv/java/jre/bin/java -cp /usr/openv/wmc/webserver/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.88
Server built: Apr 9 2024 13:22:30 UTC
Server number: 9.0.88.0
OS Name: Linux
OS Version: 4.18.0-513.24.1.el8_9.x86_64

davidmoline · Tuesday

Hi @chriswilkes33

I recently checked and there are EEBs available for various NetBackup versions to address the Tomcat vulnerabilities covers by those two CVEs.
ET 4158486 NetBackup 10.4
ET 4158024 NetBackup 10.3.0.1
ET 4157810 NetBackup 10.2.0.1
ET 4157630 NetBackup 10.1.1.
ET 4157838 NetBackup 10.0.0.1

I included information for earlier NetBackup version which may help others. Log a support case and request the fix (via the ET number) for the relevant NetBackup version.

Cheers
David

View solution in original post

davidmoline · 2 weeks ago

Hi @chriswilkes33

Patching the individual components of NetBackup is not recommended nor supported. My suggestion is to open a support case with Veritas and request more information about the vulnerability you are concerned about.

It is possible (as has happened with other security advisories), that the way tomcat is used and configured in NetBackup is not affected by the vulnerability.

Tomcat is used by the web services module in NetBackup, so if you remove it, NetBackup will break.

Do you have the CVE related to this issue or more details?

David

chriswilkes33 · 2 weeks ago

Hi, I assumed there would be something like the nbcomponentupdate tool for the JRE.This particular vulnerability is found in CVE-2024-23672 and CVE-2024-24549.

Unfortunately our auditors care more about vulnerability software flagging vulnerabilities than whether or not we are actually vulnerable, so I dont have a choice but to find a way to make the vulnerability disappear from our vulnerability management software.

Thanks for the reply,

Chris

davidmoline · 2 weeks ago

Hi @chriswilkes33

Given these security notices were only release on Apr 25, I go back to my initial suggestion to log a support case to request analysis (this may already be in progress - I don't have visibility). They may also be able to help you address the issue.

David

davidmoline · Tuesday

Hi @chriswilkes33

I recently checked and there are EEBs available for various NetBackup versions to address the Tomcat vulnerabilities covers by those two CVEs.
ET 4158486 NetBackup 10.4
ET 4158024 NetBackup 10.3.0.1
ET 4157810 NetBackup 10.2.0.1
ET 4157630 NetBackup 10.1.1.
ET 4157838 NetBackup 10.0.0.1

I included information for earlier NetBackup version which may help others. Log a support case and request the fix (via the ET number) for the relevant NetBackup version.

Cheers
David

chriswilkes33 · Wednesday

Thank you for this, if you could point to where you fouind this information so I can find it myself in the future, it would be excellent. Having to specifically request a hotfix seems silly.

Chris

davidmoline · Wednesday

Hi @chriswilkes33

The two places to go are, first https://www.veritas.com/support/en_US/security to see if the alert is listed. If it is not there, then a support call is required to ask about the issue and see if there is a fix available, in progress, or not required.

In this particular case, I was looking at internal sites not available to the public, so it will not help you in the future.

Cheers
David