-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uzair,
On 2/9/16 1:11 PM, uzair rashid wrote: > Most of our business is running Tomcat 7.x.xx or later. But, we > have a business function of ours that is using Tomcat 5.0.xx. > Unfortunately, this is causing a lot of issues in terms of > vulnerability remediation. You should definitely upgrade anything running Tomcat 5.x to something later. If possible, Tomcat 8.x would be preferable. > Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting > Vulnerability Don't deploy the host manager: no vulnerability at any Tomcat level. > Apache Tomcat Information Disclosure Vulnerability > > Apache Tomcat Accept-Language Cross-Site Scripting Vulnerability Though unspecified, these will have no workaround I know of. > Apache Tomcat JavaDoc Spoofing Vulnerability This is not a vulnerability in Tomcat itself, but the (Javadoc) documentation. Nobody should really have to worry about this, unless you host a copy of the javadoc somewhere in your own environment. > Apache Tomcat 4, 5 and 6 Examples Web Application Multiple > Cross-Site Scripting Vulnerabilities > > Apache Tomcat 4 and 5 Cross-Site Scripting Vulnerability in > Calender Application in JSP Examples > > Apache Tomcat 5 Cross-Site Scripting in implicit-objects.jsp of > "Examples" Application Don't deploy the examples: no vulnerability at any Tomcat level. > Apache Tomcat Multiple Content Length Headers Information > Disclosure Vulnerability Not sure. > Apache Tomcat Multiple Cross-Site Scripting Vulnerabilities in > Manager and Host Manager Web Applications Don't deploy the host manager. If you need to deploy the manager application, make sure you secure it and make sure your web-based users know not to click on emailed links that take them directly into the manager application. > Apache Tomcat 4 and 5 Multiple Cross-Site Scripting > Vulnerabilities These are usually issues with an application (e.g. Examples) and not the server. > The above is what were are experiencing and we are running Crystal > Report as well. What does Crystal Reports have to do with anything? > Could someone please guide me in the most efficient way to > upgrade? http://tomcat.apache.org/migration.html There are no migration guides from 5.0 -> 8.0, but if you read them all, you'll know what issues you might face. > My thought process is 5.0.xx to 5.5 then migration to 6 or 7? There is no particular reason to upgrade each release one at a time. You can go from 5.x to 8.x all at once. > We are running windows 2003. I’m not even sure if it will support > it? If Java runs on it, Tomcat will run on it (assuming you have enough memory to run your own application). > I am unable to find any process documents or guidance on how to go > about the upgrade process and which version could help us in > vulnerability remediation. Could someone please help me? This is > extremely time sensitive to our business needs. See the migration guide(s) above. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla6MuMACgkQ9CaO5/Lv0PDjNACfXUgItmPkp4yjaC1R1sZB53c3 ONIAoIOIs9ETF5f6R5WXLdwtefPdVrIO =61j9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
