My Version of Archive Server is 16.2.0 and I was using tomcat version 8.5.39.
Security team has found the vulnerabilities and asked to upgrade the tomcat version to 8.5.60.
I have used below steps to upgrade the tomcat to newer minor version. To upgrade Tomcat:
- Download the latest 64-bit ZIP file from the Tomcat website (https:// tomcat.apache.org/download-80.cgi).
- Stop the Apache Tomcat and Archive Spawner services. Exit the Tomcat tray control (tomcat8w.exe).
- Back up the following files and folders in the <Tomcat_home> folder: • conf folder • In the lib folder: – activation.jar (since Update 16.2.2) – archive-help-config.jar – as_bizprovAPI.jar – as_intf.jar – as_metadataAPI.jar – commons-logging-1.1.1.jar – ixosBaseIntf.jar – jicsdb_intf.jar – jicsx_intf.jar – log4j.jar
- Delete the bin and lib folders.
- In the webapps folder, delete the following folders: • docs • manager • ROOT • examples (if installed) • host-manager (if installed)
- Delete all files and folders within the work folder.
- Copy the following folders from the temporary folder of the new Tomcat to the <Tomcat_home> folder: • bin • lib • webapps (accept to merge the folders)
- Copy the saved files from the lib folder (Step 3) into the <Tomcat_home>\lib folder.
- Start the Apache Tomcat and Archive Spawner services.
the upgrade was successful and I have verified as.log file in logs folder I could see version 8.5.60. But the security team saying that the version is still 8.5.39 and they are still seeing the vulnerabilities. Could you guys guess what may be the reason. I have also rebooted the Archive server
Tenable looks at the registry info and your method of replacing the files won't amend registry data. Hence, got flag out as 8.5.39.