Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Fabien TANGUY (FabienT92)
Sopra Steria Group
Developper
Sopra Steria Group
FR
FabienT92 Member since 2021 1 post
Sopra Steria Group
Posted: Mar 9, 2022
Last activity: Apr 13, 2022
Posted: 9 Mar 2022 5:53 EST
Last activity: 13 Apr 2022 11:29 EDT
Closed
Solved

How to fix Tomcat 9.0 vulnerabilities in Pega Platform 8.3.1

Hello, Our Pega Platform 8.3.1 is running with an embedded Tomcat 9.0.40 version. This version of Tomcat have several security vulnerabilities.

  • CVE-2021-25329 => vulnerability fixed in 9.0.42
  • CVE-2021-33037 => vulnerability fixed in 9.0.47
  • CVE-2021-30640 => vulnerability fixed in 9.0.47
  • CVE-2021-42340 => vulnerability fixed in 9.0.54.

Currently, the last version of Tomcat 9.0 is 9.0.59. How can we update the Tomcat 9.0 version in Pega Platform 8.3.1 ? Can PEGA provides us a security hotfix with Tomcat 9.0.59 version ? Or at least with 9.0.54 version ?

PEGA support redirects me here. Thank you

To see attachments, please log in.
Pega Platform 8.3.1
Security
Communications and Media
Team Lead

Accepted Solution

Posted: 2 years ago
Updated: 2 years ago
Posted: 9 Mar 2022 7:08 EST
Updated: 13 Apr 2022 11:29 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@FabienT92  I believe Pega Support directed you to the forum as you are not running a platform stack as per the support guidelines.

According to the Platform Support Guide  Pega 8.3.1 can run on *any* Apache Tomcat 9.x version  (using Java 8)

Also see the Pega Platform Support Guide Resources 

Can you please clarify your platform stack to explain how you are using the embedded Tomcat?

Which official Installation documentation are you using during installation?

According to this article , I am not sure if Pega officially support Pega 8.x versions with embedded App Servers (eg  Springboot)

The security vulnerabilities you are listing are specific to those Tomcat versions. As this is not tied to a hard-coded 3rd party tool used within Pega there are therefore no hotfixes for that.

Vulnerabilities with included 3rd party software is dealt with as per the documentation such as listed here. and here  

Show More

@FabienT92  I believe Pega Support directed you to the forum as you are not running a platform stack as per the support guidelines.

According to the Platform Support Guide  Pega 8.3.1 can run on *any* Apache Tomcat 9.x version  (using Java 8)

Also see the Pega Platform Support Guide Resources 

Can you please clarify your platform stack to explain how you are using the embedded Tomcat?

Which official Installation documentation are you using during installation?

According to this article , I am not sure if Pega officially support Pega 8.x versions with embedded App Servers (eg  Springboot)

The security vulnerabilities you are listing are specific to those Tomcat versions. As this is not tied to a hard-coded 3rd party tool used within Pega there are therefore no hotfixes for that.

Vulnerabilities with included 3rd party software is dealt with as per the documentation such as listed here. and here  

If you're looking to package up Pega like Springboot does, it will be easier to use the official Docker images.  See Using Pega-provided Docker images.

Available here.

This is official, although quite new, but may let you do what you want with less work.

Show Less
To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice