IBM Support

webMethods Knowlegebase : Apache Tomcat v8.5.41 or later to address IAVAs in webMethods v10.1 (1803350)

Troubleshooting


Problem

Site requesting Software AG update Apache Tomcat to "Apache Tomcat version 8.5.41" or later to address all of the Iformation Assurance Vulnerability Alerts (IAVAs) identified for webMethods v10.1.

Site went through the list of IAVAs that were discussed in a meeting with Software AG, and identified the corresponding Common Vulnerabilities and Exposure (CVE) numbers, current status, and mitigation Tomcat versions seen in the following:

IAVM CVE Status Tomcat 8.5.x mitigation Tomcat 9.x mitigation

2017-B-0061 CVE-2017-5664 Superseded by 2017-B-0105 8.5.15 or later

2017-B-0105 CVE-2017-7674

CVE-2017-7675 Superseded by 2017-B-0133 8.5.16 or later

2017-B-0133 CVE-2017-12615

CVE-2017-12616 Superseded by 2017-B-0136 8.5.16 or later

2017-B-0136 CVE-2017-12617 Superseded by 2018-B-0025 8.5.23 or later 9.0.1 or later

2018-B-0025 CVE-2017-15706 Superseded by 2018-B-0028 8.5.24 or later 9.0.2 or later

2018-B-0028 CVE-2018-1304

CVE-2018-1305 Superseded by 2018-B-0080 8.5.28 or later 9.0.5 or later

2018-B-0080 CVE-2018-8014 Superseded by 2018-B-0095 8.5.32 or later 9.0.9 or later

2018-B-0095 CVE-2018-8034

CVE-2018-8037 Superseded by 2018-B-0133 8.5.32 or later 9.0.10 or later

2018-B-0133 CVE-2018-11784 Superseded by 2019-B-0027 8.5.34 or later 9.0.12 or later

2019-B-0027 CVE-2019-0232 Superseded by 2019-B-0048 8.5.40 or later 9.0.19 or later

2019-B-0048 CVE-2019-0221 Current 8.5.40 or later 9.0.19 or later

2019-B-0051 CVE-2019-10072 Current 8.5.41 or later 9.0.20 or later

Of the original list, 2019-B-0048 was missing.

Site has 2019-A-0165 on the list, but that IAVA is for Apache Subversion.

Software AG recommends IS_10.1_Core_Fix 8 to update Tomcat to v8.5.23, but hat only addresses issues up to 2017-B-0136.

webMethods v10.5 is shipped with v8.5.35, which addresses issues up to 2018-B-0133.

To stay current, site needs Apache Tomcat v8.5.41 or later to address all IAVA identified so far.

The latest Apache Tomcat versions are v8.5.50 and v9.0.30.

NOTE: Site requesting the need to update webMethods IS v10.1 and MWS v10.1, if it uses Tomcat, to embed Apache Tomcat v8.5.41 or later to address all IAVA identified so far.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"10.1"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"10.1"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"10.1"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 March 2025

UID

ibm17226406

Page Feedback