2 Replies Latest reply on Jun 7, 2017 10:58 AM by pabely

    In light of CVE-2017-5664 : Can we update Tomcat distributed with WHD 12.5?

    silverbacksays

      Hey Thwackers!

       

      I have a WHD 12.5 instance, which is running Tomcat 7.0.70. A recent vulnerability (http://tomcat.apache.org/security-7.html) requires that I update Apache to 7.0.78, to mitigate the issues.

       

      My question is, can I download this version, and replace the files distributed with WHD (after stopping the WHD service first, natch), or will I need to wait for the next WHD release?

       

      Thanks in advance!

        • Re: In light of CVE-2017-5664 : Can we update Tomcat distributed with WHD 12.5?
          silverbacksays

          Hi all,

           

          I logged a ticket with Support for this, as I needed an answer quickly. It turns out that we cannot upgrade Tomcat ourselves. However, a new service release is in the works:

           

          //

          Hi Jez,

          Thank you for contacting SolarWinds Technical Support.

          My name is <REDACTED> and I will be working on this case with you. It is not possible to update the version of Apache Tomcat running on WHD as it is an integrated service on WHD. If you could wait though, we do have a service release version that is coming soon with an updated version of Apache Tomcat which is version 7.0.77. We don't have an exact ETA on this yet it will be out when its ready.

          Please let us know if you should have any additional questions or need further assistance.

          Thank you for choosing SolarWinds products.

          //

           

          According to the information I have, Tomcat 7.0.77 is also effected by the same vulnerabilities, so I have, on behalf of all WHD users, asked that the developers consider using 7.7.78 in the next release to ensure WHD is not vulnerable to the issues reported in CVE.

           

          -Silverbacksays