BSI Apache & Java Vulnerabilities

Document ID : KB000094773
Last Modified Date : 12/06/2018
Show Technical Document Details
Issue:
During the security audit below Vulnerabilities found in BSI APP, Web & Db servers.

Oracle Java SE Multiple Unspecified Vulnerabilities
Apache Tomcat End Of Life Detection.
Resolution:
For upgrading to JDK 1.8 to fix the Java SE vulnerabilities, please follow these instructions as part of the application of BSI patch 8.3.5.3: 

https://docops.ca.com/ca-business-service-insight/8-3-5/en/installation/implement-ca-business-service-insight-cumulative-patch-8-3-5-3/install-wildfly-8-1-with-jdk-1-8 

The Tomcat server is only used by ACE2 and the Oblisync server. If you are not using these, then the simplest option is simply to disable the service. If you do wish to replace the Tomcat version, then you can download 6.0.53 from here: 

https://archive.apache.org/dist/tomcat/tomcat-6/v6.0.53/bin/ 

You need the apache-tomcat-6.0.53-windows-x86.zip file. 

To install it, do the following: 

1) Stop the "Oblicore - Tomcat 6" service. I would also recommend setting it to Manual, or even Disabled,  instead of Automatic if you don't need it running. 
2) Take a backup copy of the %OG_HOME%\Tomcat folder. 
3) Copy the contents of the zip file into the %OG_HOME%\Tomcat folder one top-level folder at a time, so you can skip replacing the "conf" folder. If you did do the whole thing, then get that conf folder out of the backup and restore it. 
4) Go into the "Work" folder and delete the contents (you'll probably find it's just the "Catalina" folder in there. This contains cached data that will be rebuilt when you restart. 
4) You may now restart the "Oblicore - Tomcat 6" service if you wish, however that is not necessary if it is not being used at present.