On 02/04/2014 10:24, ayeungied wrote:
My boss use nexpose to scan for our SuSE Linux 11 Sp2 servers and finds
lots of risks there.
According to the remediations provided, upgrade to latest version of
Apache Tomcat is recommended.
I’ve patched the server to SP3 and installed JAVA as ApacheTomcat needs
JAVA after version 5.x.
I’ve also downloaded the ApacheTomcat 6.x and 7.x, as I have 1st upgrade
from 5.x to 6.x then 7.x.
However, the steps for install them are not clear. Even I can extract
them, how can I run the startup.sh which will overwrite the version
Most software that check for vulnerabilities do so by simply checking
the version strings rather than actually try and exploit the various
vulnerabilities they’re looking for (which makes sense because that
could trigger bad things).
As such, scanning SLES servers doesn’t provide accurate results since
SUSE backport security fixes from later versions of software into
earlier versions that have proved to be stable for a particular release
of SLES. So when scanned, a software package reports the earlier version
number (because it is) even though it’s not vulnerable due to having a
later fix backported.
Another thing to be aware of is that SUSE only support packages that
they provide (either via patch channel or from SUSE download site) so
installing a later version from source could leave you unsupported.
I’m not sure if the reference you make to SP3 is that you’ve now
upgraded the server from SLES11 SP2 to SLES11 SP3 but if you haven’t
then that would be my first step. That should in itself give you Tomcat 6.x.
SUSE Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.