Hi Stephan,
Thanks for hint and thank you for sharing your karaf-maven-plugin configuration.
I am using startupFeatures but if I specify the version it works too. So I have
now Apache Karaf 4.4.3 with pax-web 8.0.29.
Thank you for help!
Best regards
Martin
From: Siano, Stephan <stephan.si...@sap.com>
Sent: Tuesday, January 14, 2025 12:45 PM
To: user@karaf.apache.org; Martin Zukal <martin.zu...@stabilit.ch>
Subject: RE: upgrade apache tomcat bundled in pax-web
Hi Martin,
Tomcat is strongly merged into the pax-web bundles, so you won’t get any
progress without updating the tomcat version in pax-web and have a new pax-web
version. Maybe you open a JIRA task there (or even create a contribution in the
pax-web project).
The idea is that in the project where you build the assembly you add the
following maven dependency:
<dependency>
<groupId>org.ops4j.pax.web</groupId>
<artifactId>pax-web-features</artifactId>
<classifier>features</classifier>
<type>xml</type>
<version>${pax.web.version}</version>
<scope>runtime</scope>
</dependency>
Then the configuration of the karaf maven plugin looks like this:
<plugin>
<groupId>org.apache.karaf.tooling</groupId>
<artifactId>karaf-maven-plugin</artifactId>
<extensions>true</extensions>
<configuration>
<framework>framework-logback</framework>
<!-- no startupFeatures -->
<bootFeatures>
<feature>standard</feature>
<feature>pax-web-tomcat/${pax.web.version}</feature>
<feature>pax-web-tomcat-websockets/${pax.web.version}</feature>
<feature>pax-web-http-tomcat/${pax.web.version}</feature>
<feature>pax-web-war/${pax.web.version}</feature>
<feature>pax-web-whiteboard/${pax.web.version}</feature>
<feature>pax-web-jsp/${pax.web.version}</feature>
...
</bootFeatures>
<!-- no installedFeatures -->
</configuration>
</plugin>
Best regards
Stephan
From: Martin Zukal via user
<user@karaf.apache.org<mailto:user@karaf.apache.org>>
Sent: Tuesday, 14 January 2025 12:20
To: user@karaf.apache.org<mailto:user@karaf.apache.org>
Subject: RE: upgrade apache tomcat bundled in pax-web
Hi Stephan,
Thanks for response! Good to hear that.
Do I understand correctly that you install the new pax-web version as an
additional feature (maybe with <startupFeature>) and leave the original version
provided by karaf there as well? Using pax-web 8.0.29 would help a lot but if I
want to really use the newest tomcat version it is still not sufficient so I
continue investigating on that.
Best regards
Martin
From: Siano, Stephan <stephan.si...@sap.com<mailto:stephan.si...@sap.com>>
Sent: Tuesday, January 14, 2025 11:17 AM
To: user@karaf.apache.org<mailto:user@karaf.apache.org>; Martin Zukal
<martin.zu...@stabilit.ch<mailto:martin.zu...@stabilit.ch>>
Subject: RE: upgrade apache tomcat bundled in pax-web
Hi Martin,
It is possible to have a newer pax-web version (including pax-web-tomcat) with
a custom karaf distribution. We are currently using karaf 4.4.6 with pax-web
8.0.29.
Concerning security scans: I haven’t managed to make the karaf-maven-plugin to
not install the pax-web-version that comes with the Karaf version (8.0.27 in
the case of Karaf 4.4.6) into the repository as well (so you have two versions
of pax-web in the karaf repository). This means that code scans will still find
the old Tomcat version even though only the newer one is installed into the
running Karaf container.
Best regards
Stephan
From: Martin Zukal via user
<user@karaf.apache.org<mailto:user@karaf.apache.org>>
Sent: Tuesday, 14 January 2025 10:37
To: user@karaf.apache.org<mailto:user@karaf.apache.org>
Subject: upgrade apache tomcat bundled in pax-web
Hello everyone,
We received results of a security scan of our application running on Apache
Karaf 4.4.3. One of the issues is that there is an old and vulnerable component
in use. It is the Apache Tomcat version 9.0.70 in particular. This comes from
the pax-web feature (version 8.0.15 in karaf 4.4.3).
I checked what version of pax-web is used in Karaf 4.4.6 and found out that it
is 8.0.27. According to what I was able to find version 8.0.27 of pax web uses
Apache Tomcat version 9.0.87. Unfortunately this version of Tomcat has still
some known vulnerabilities (see
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.87).
Even the newest version of pax-web (8.0.29) uses a vulnerable version of
Apache Tomcat – 9.0.96 (see
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.96).
The only 9.x version of Tomcat without vulnerabilities is 9.0.98.
My question is whether it is possible to upgrade just the tomcat feature
(pax-web-tomcat). If so how can I do that? Is it possible to configure the
karaf-maven-plugin to package the newest version of tomcat in the assembly?
Best Regards
Martin Zukal
