Hello everyone, We received results of a security scan of our application running on Apache Karaf 4.4.3. One of the issues is that there is an old and vulnerable component in use. It is the Apache Tomcat version 9.0.70 in particular. This comes from the pax-web feature (version 8.0.15 in karaf 4.4.3). I checked what version of pax-web is used in Karaf 4.4.6 and found out that it is 8.0.27. According to what I was able to find version 8.0.27 of pax web uses Apache Tomcat version 9.0.87. Unfortunately this version of Tomcat has still some known vulnerabilities (see https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.87). Even the newest version of pax-web (8.0.29) uses a vulnerable version of Apache Tomcat - 9.0.96 (see https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.96). The only 9.x version of Tomcat without vulnerabilities is 9.0.98. My question is whether it is possible to upgrade just the tomcat feature (pax-web-tomcat). If so how can I do that? Is it possible to configure the karaf-maven-plugin to package the newest version of tomcat in the assembly? Best Regards Martin Zukal
<<attachment: winmail.dat>>
