CVE on Tomcat 9.0.0-9.0.9 and 8.5.5-8.5.31, ie Jamf Pro 10.6

L-plateAdmin
Contributor

Just had my security guys pick me up about the Tomcat released with 10.6 thats currnetly on our pre box. dont like the idea of updating tomcat outside Jamf so reached out to our account manager to see if at least Jamf is aware.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700@minotaur.apache.org%3E

17 REPLIES 17

bpavlov
Honored Contributor

And what did Jamf say?

rderewianko
Valued Contributor II

Posting so i get notified of new posts too ;)

kstrick
Contributor III

have a feeling we may see a Jamf Pro 10.6.1 with updated tomcat

stephanpeterson
Contributor

following....

donmontalvo
Esteemed Contributor III

Following...

--
https://donmontalvo.com

snovak
Contributor

Joining the conga line

dgreening
Valued Contributor II

Oof I have the upgrade scheduled for this weekend. I reached out to Jamf for comment.

dmw3
Contributor III

Following...

jriv
New Contributor III

Interested

dgreening
Valued Contributor II

Jamf suggested using the root.war manual upgrade path to me. This would be upgrading without upgrading Tomcat itself.

EDIT - Spoke with Jamf again and they don't want us changing our upgrade method from the Windows .msi based one. To be continued another weekend.

c_archibald
Contributor II

So is Apache Tomcat 8.5.31 not updatable without breaking JAMF? Because 8.5.32 is current including REQUIRED patching from 8.5.31.

bpavlov
Honored Contributor

@ryan.yohnk I don't know if you're the right person to tag on this, but you had responded to my discussion on Java support moving forward.

I was wondering whether you or someone else on Jamf could comment on the current situation with the Tomcat CVEs being discussed here.

dgreening
Valued Contributor II

We are in a hold pattern on Jamf upgrades until the CVE(s) are closed out. Interested to know where we are in closing these out.

joe_bloom
New Contributor III

Jamf is planning a release associated with this vulnerability based on the severity. I cannot share a timeline yet on when, but it is in process.

cdenesha
Valued Contributor II

Pro Tip: Instead of posting a one-word comment to the thread to be informed of future updates, 'Add Bookmark'.

:)

rderewianko
Valued Contributor II

But i like adding to my count of new notifications.
1aac43b64cbc4df3ad3d0fa45fd089de

joe_bloom
New Contributor III

P.S. We released 10.6.2 on August 21 to address this CVE. You can find 10.6.2 in Jamf Nation in your assets. What's New in 10.6.2