upgrading Apache Tomcat to avoid known fixed vulnerabilities

Document ID : KB000107928
Last Modified Date : 01/08/2018
Show Technical Document Details
Introduction:

The CA Service Management solution uses Apache Tomcat. Announcements of newly discovered or newly fixed vulnerabilities occur regularly. 

For example, the following issue was reported publicly on 6 April 2018 and formally announced as a vulnerability on 22 July 2018. 

Title: CVE-2018-1336 Apache Tomcat - Denial of Service

Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service
Affects: 7.0.28 to 7.0.88; 8.5.0 to 8.5.30 

Question:
Are the Tomcat releases listed in the CA Service Management Supportability Matrix the only releases that are supported?
Environment:
CA Service Management 17.1
Answer:
The current point versions of Tomcat are supported as per the following statements in the documentation:
 
Note: CA Service Management supports service packs and point releases not necessarily noted on this matrix as long as the problem reported is reproducible with versions that are listed on the support matrix.

CA Technologies reserves the right to refuse support of new point releases should the reported problem require a major redesign to function properly. If the resolution to a problem is determined to be outside the realm of CA Support responsibilities, they may ask that you escalate your request for certification to your local account team.

For example, at the time of writing this knowledge article:
  • The Third-Party Common Components section of the Supportability Matrix showed the following support for Apache Tomcat:
 
CA SDMCA Service CatalogCA APMUSSxFlow Analyst Interface
(8.5.6)(8.5.6)(8.5.6)(7.0.40)NA
  • For Tomcat 7, current point version is 7.0.90; for Tomcat 8.5, current point version is 8.5.32.  Both of these point versions include a fix to vulnerability CVE-2018-1336. (Note: Version 8.5.32 also contains a fix to CVE-2018-8037; there does not yet appear to be a fix to that yet in 7.0.xx.)
Additional Information:
https://docops.ca.com/ca-service-management/17-1/en/ca-service-management-17-1-release-notes/supportability-matrix
 
https://tomcat.apache.org/download-70.cgi 
https://tomcat.apache.org/download-80.cgi 

Please also review the following enhancement Idea in CA Communities:

Title: Add support for the recent version of Tomcat 9.x and JRE 10.x
https://communities.ca.com/ideas/235740460-add-support-for-the-recent-version-of-tomcat-9x-and-jre-10x