Just had my security guys pick me up about the Tomcat released with 10.6 thats currnetly on our pre box. dont like the idea of updating tomcat outside Jamf so reached out to our account manager to see if at least Jamf is aware.
Question
CVE on Tomcat 9.0.0-9.0.9 and 8.5.5-8.5.31, ie Jamf Pro 10.6
+5
+18And what did Jamf say?
+12following....
+36Following...
+18Jamf suggested using the root.war manual upgrade path to me. This would be upgrading without upgrading Tomcat itself.
EDIT - Spoke with Jamf again and they don't want us changing our upgrade method from the Windows .msi based one. To be continued another weekend.
+7So is Apache Tomcat 8.5.31 not updatable without breaking JAMF? Because 8.5.32 is current including REQUIRED patching from 8.5.31.
+18@ryan.yohnk I don't know if you're the right person to tag on this, but you had responded to my discussion on Java support moving forward.
I was wondering whether you or someone else on Jamf could comment on the current situation with the Tomcat CVEs being discussed here.
+18We are in a hold pattern on Jamf upgrades until the CVE(s) are closed out. Interested to know where we are in closing these out.
+7Jamf is planning a release associated with this vulnerability based on the severity. I cannot share a timeline yet on when, but it is in process.
+14Pro Tip: Instead of posting a one-word comment to the thread to be informed of future updates, 'Add Bookmark'.
:)
+7P.S. We released 10.6.2 on August 21 to address this CVE. You can find 10.6.2 in Jamf Nation in your assets. What's New in 10.6.2
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.