-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Uzair,
On 2/9/16 1:11 PM, uzair rashid wrote:
> Most of our business is running Tomcat 7.x.xx or later. But, we
> have a business function of ours that is using Tomcat 5.0.xx.
> Unfortunately, this is causing a lot of issues in terms of
> vulnerability remediation.
You should definitely upgrade anything running Tomcat 5.x to something
later. If possible, Tomcat 8.x would be preferable.
> Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting
> Vulnerability
Don't deploy the host manager: no vulnerability at any Tomcat level.
> Apache Tomcat Information Disclosure Vulnerability
>
> Apache Tomcat Accept-Language Cross-Site Scripting Vulnerability
Though unspecified, these will have no workaround I know of.
> Apache Tomcat JavaDoc Spoofing Vulnerability
This is not a vulnerability in Tomcat itself, but the (Javadoc)
documentation. Nobody should really have to worry about this, unless
you host a copy of the javadoc somewhere in your own environment.
> Apache Tomcat 4, 5 and 6 Examples Web Application Multiple
> Cross-Site Scripting Vulnerabilities
>
> Apache Tomcat 4 and 5 Cross-Site Scripting Vulnerability in
> Calender Application in JSP Examples
>
> Apache Tomcat 5 Cross-Site Scripting in implicit-objects.jsp of
> "Examples" Application
Don't deploy the examples: no vulnerability at any Tomcat level.
> Apache Tomcat Multiple Content Length Headers Information
> Disclosure Vulnerability
Not sure.
> Apache Tomcat Multiple Cross-Site Scripting Vulnerabilities in
> Manager and Host Manager Web Applications
Don't deploy the host manager. If you need to deploy the manager
application, make sure you secure it and make sure your web-based
users know not to click on emailed links that take them directly into
the manager application.
> Apache Tomcat 4 and 5 Multiple Cross-Site Scripting
> Vulnerabilities
These are usually issues with an application (e.g. Examples) and not
the server.
> The above is what were are experiencing and we are running Crystal
> Report as well.
What does Crystal Reports have to do with anything?
> Could someone please guide me in the most efficient way to
> upgrade?
http://tomcat.apache.org/migration.html
There are no migration guides from 5.0 -> 8.0, but if you read them
all, you'll know what issues you might face.
> My thought process is 5.0.xx to 5.5 then migration to 6 or 7?
There is no particular reason to upgrade each release one at a time.
You can go from 5.x to 8.x all at once.
> We are running windows 2003. I’m not even sure if it will support
> it?
If Java runs on it, Tomcat will run on it (assuming you have enough
memory to run your own application).
> I am unable to find any process documents or guidance on how to go
> about the upgrade process and which version could help us in
> vulnerability remediation. Could someone please help me? This is
> extremely time sensitive to our business needs.
See the migration guide(s) above.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAla6MuMACgkQ9CaO5/Lv0PDjNACfXUgItmPkp4yjaC1R1sZB53c3
ONIAoIOIs9ETF5f6R5WXLdwtefPdVrIO
=61j9
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
