This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PEN test reveals out of date Apache Tomcat on Extreme Control

PEN test reveals out of date Apache Tomcat on Extreme Control

Go to solution
RobertD1
Contributor II

‎07-05-2024 02:27 AM

Hello,

What would our response be to a customer that runs a PEN test and has identified the version of Apache Tomcat to be old (not the latest)? Understand that products have to be updated when new updates are made, just don't know whether Apache Tomcat will be updated in-line with times it gets updated. Not seeing the change  in the release notes. 

I think known vulnerabilities are checked against XIQ-SE and NAC and software changes that protect against an issue would be planned for a future release, this would make sense. Unclear if this should be in the release notes or not? 

Seeking advice on this valid security concern and what to say to the end customer.

I can ask for versions of Apache Tomcat on their installed version but just posting to learn more about how to respond to this type of concern.

Rob

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Robert_Haynes
Extreme Employee

‎07-05-2024 05:43 AM

Please see https://extreme-networks.my.site.com/ExtrArticleDetail?an=000107545.

In general Extreme provides monthly security vulnerability remediation releases. If your customer is concerned about pen-test results they should upgrade to the latest OS release (24.2.15 at this point) on all supported products (XIQ-SE, Control, Analytics) and re-scan.

If this is a scan on XMC, Control, Analytics 8.5.x then no updates will be provided and the software is AS IS prior to end of life September 2024.

You should also search our SA articles as a number of them have been published over time with various Apache related vulnerabilities and we are either not vulnerable (by design) or we've since upgraded the Apache Tomcat engine.

I believe as of 24.2.15 the Apache TC version is 9.0.87.

View solution in original post

3 REPLIES 3

Go to solution
Robert_Haynes
Extreme Employee

‎07-05-2024 05:43 AM

Please see https://extreme-networks.my.site.com/ExtrArticleDetail?an=000107545.

In general Extreme provides monthly security vulnerability remediation releases. If your customer is concerned about pen-test results they should upgrade to the latest OS release (24.2.15 at this point) on all supported products (XIQ-SE, Control, Analytics) and re-scan.

If this is a scan on XMC, Control, Analytics 8.5.x then no updates will be provided and the software is AS IS prior to end of life September 2024.

You should also search our SA articles as a number of them have been published over time with various Apache related vulnerabilities and we are either not vulnerable (by design) or we've since upgraded the Apache Tomcat engine.

I believe as of 24.2.15 the Apache TC version is 9.0.87.

Go to solution
Stefan_K_
Valued Contributor

‎07-05-2024 02:54 AM

Knowing the exact installed version of Tomcat would indeed be helpful. Security-Fixes are also patched into older releases afaik.

Updates of such components/packages don't make it to the release notes. 

What version of ExtremeControl is in use? 

0 Kudos

Go to solution
RobertD1
Contributor II
In response to Stefan_K_

‎07-05-2024 06:07 AM - edited ‎07-05-2024 08:30 AM

Hi Stefan,

Extreme Control 23.11.12.3.

I will have to ask customer for the Tomcat version.

Edit: 9.0.84 is part of 23.11.12.3.

Thanks,

Rob

0 Kudos
GTM-P2G8KFN