https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100847#M483 <P>Hi Stefan,</P><P>Extreme Control&nbsp;<SPAN>23.11.12.3.</SPAN></P><P><SPAN>I will have to ask customer for the Tomcat version.</SPAN></P><P><SPAN>Edit: 9.0.84 is part of 23.11.12.3.</SPAN></P><P><SPAN>Thanks,</SPAN></P><P><SPAN>Rob</SPAN></P> Fri, 05 Jul 2024 15:30:06 GMT RobertD1 2024-07-05T15:30:06Z https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100839#M480 <P>Hello,</P><P>What would our response be to a customer that runs a PEN test and has identified the version of Apache Tomcat to be old (not the latest)? Understand that products have to be updated when new updates are made, just don't know whether Apache Tomcat will be updated in-line with times it gets updated. Not seeing the change&nbsp; in the release notes.&nbsp;</P><P>I think known vulnerabilities are checked against XIQ-SE and NAC and software changes that protect against an issue would be planned for a future release, this would make sense. Unclear if this should be in the release notes or not?&nbsp;</P><P>Seeking advice on this valid security concern and what to say to the end customer.</P><P>I can ask for versions of Apache Tomcat on their installed version but just posting to learn more about how to respond to this type of concern.</P><P>Rob</P><P>&nbsp;</P> Fri, 05 Jul 2024 09:27:55 GMT https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100839#M480 RobertD1 2024-07-05T09:27:55Z https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100840#M481 <P>Knowing the exact installed version of Tomcat would indeed be helpful. Security-Fixes are also patched into older releases afaik.</P><P>Updates of such components/packages don't make it to the release notes.&nbsp;</P><P>What version of ExtremeControl is in use?&nbsp;</P> Fri, 05 Jul 2024 09:54:38 GMT https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100840#M481 Stefan_K_ 2024-07-05T09:54:38Z https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100845#M482 <P>Please see&nbsp;<A href="https://extreme-networks.my.site.com/ExtrArticleDetail?an=000107545" target="_blank">https://extreme-networks.my.site.com/ExtrArticleDetail?an=000107545</A>.</P><P>In general Extreme provides monthly security vulnerability remediation releases. If your customer is concerned about pen-test results they should upgrade to the latest OS release (24.2.15 at this point) on all supported products (XIQ-SE, Control, Analytics) and re-scan.</P><P>If this is a scan on XMC, Control, Analytics 8.5.x then no updates will be provided and the software is AS IS prior to end of life September 2024.</P><P>You should also search our SA articles as a number of them have been published over time with various Apache related vulnerabilities and we are either not vulnerable (by design) or we've since upgraded the Apache Tomcat engine.</P><P>I believe as of 24.2.15 the Apache TC version is 9.0.87.</P> Fri, 05 Jul 2024 12:43:19 GMT https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100845#M482 Robert_Haynes 2024-07-05T12:43:19Z https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100847#M483 <P>Hi Stefan,</P><P>Extreme Control&nbsp;<SPAN>23.11.12.3.</SPAN></P><P><SPAN>I will have to ask customer for the Tomcat version.</SPAN></P><P><SPAN>Edit: 9.0.84 is part of 23.11.12.3.</SPAN></P><P><SPAN>Thanks,</SPAN></P><P><SPAN>Rob</SPAN></P> Fri, 05 Jul 2024 15:30:06 GMT https://community.extremenetworks.com/t5/extremecontrol/pen-test-reveals-out-of-date-apache-tomcat-on-extreme-control/m-p/100847#M483 RobertD1 2024-07-05T15:30:06Z