Upgrading Tomcat vulnerabilities
Use the Tomcat upgrade capability to help identify vulnerabilities in Apache Tomcat installations and provide recommended remediation actions. The workflow retrieves Tomcat advisories and synchronizes version information for scanned VMs to support version upgrade decisions through the auto-remediation.
The Tomcat upgrade process is available as part of the standard auto-remediation workflows and requires both advisory ingestion and VM version synchronization before patches can be applied.
Before you begin
- Concert Workflows are installed and accessible from :
- Tomcat_Advisory
- Sync_TomcatVersion_Details
- Create_Change_Request_For_Remediation_Action
- Monitor_Remediation_Action_Status
- Remediation_Master (invokes the Tomcat upgrade logic)
- You have created the required authentication types:
- Linux authentication (linux_auth) (Ansible-based) for Tomcat hosts. For configuration, see Setting up authentication for Linux® remediation in Concert.
- You have a valid VM scan file that identifies Tomcat components and generates actions with subtype webserver.
For details about creating generic workflow authentications, see Configuring auto-remediation workflows.
Overview of the Tomcat upgrade flow
- Load Tomcat advisories
Fetches the official Tomcat CVE advisories and loads them into Concert.
- Upload the Tomcat VM scan report
Uploads the VM scan file so Concert can detect Tomcat components, identify vulnerable versions, and generate remediation actions with subtype webserver.
- Sync Tomcat version details
Retrieves the current Tomcat version from each VM and updates the action details with both the current version and the recommended version.
- Apply Tomcat upgrades
The auto-remediation workflows apply the recommended version upgrade and update the action status.
All upgrade operations run through the Remediation_Master workflow.
Step 1: Load Tomcat advisories
- In Concert Workflows, go to the Workflows page.
- Click .
- Open the Tomcat_Advisory workflow.
- Click Run workflow.
Expected result:
- Tomcat advisories are fetched from the official Apache source and loaded into Concert.
- Advisories become available for action processing.
Step 2: Upload the Tomcat VM scan report
- Go to .
- Upload the Tomcat VM vulnerability scan report.
See the Uploading a vulnerability scan topic for more information.
- Concert processes the report and identifies Tomcat instances and their current versions.
- When processing completes, the Actions list displays all generated Tomcat actions (subtype: webserver), which are later used by the upgrade workflows.
Expected result:
Concert generates remediation actions for detected Tomcat vulnerabilities and populates action details with the initial Tomcat version information.
Step 3: Sync Tomcat version details
- In Concert Workflows, go to the Workflows page.
- Click .
- Open the Sync_TomcatVersion_Details workflow.
- Provide the required inputs:
- Linux authentication for each Tomcat VM
- Click Run workflow.
current_version(detected from host)new_version(recommended version derived from the advisory)
Expected result:
Actions with subtype Web server now include both current and recommended Tomcat versions in their details.
Step 3: Apply Tomcat upgrades
- Create_Change_Request_For_Remediation_Action
- Monitor_Remediation_Action_Status
- Remediation_Master
Provide Tomcat inputs to Remediation_Master
- linux_auth: Linux authentication for Tomcat VMs
The workflow processes the advisory-driven actions and automatically upgrades Tomcat to the recommended version.
Expected result:
The action status updates to Success or Failed based on the upgrade result. Patch summaries appear in the workflow output.
Step 4: Review results
- Confirm that action statuses updated in .
- If needed, rerun the upgrade for failed hosts.
- Confirm that the CVE count decreases for the Tomcat VM in subsequent scans.
For more information, see Reviewing and applying remediation actions.