Hello,
we used the vulnerability scanner tool for the Sonarqube URL, the tool has found out that Tomcat is outdated, and needs to be upgraded. we are not able to find anything related to Tomcat in Sonarqube, but when we start the Sonarqube console shows the following line
INFO web[o.s.p.ProcessEntryPoint] Starting Web Server
INFO web[o.s.s.a.TomcatHttpConnectorFactory] Starting Tomcat on port 9000
we are not using any proxy in the host.
Regards,
harsha.
Hey there.
It’s not possible to update the default Tomcat yourself
What version of SonarQube are you using, and which (presumably) CVE are you concerned about?
Hi Colin,
we are using
Apache Tomcat Installed version [9.0.70] (out-of-date), the recommended version is 9.0.83, and the overall latest version is 10.1.16.
as there are known vulnerabilities related to the Tomcat version below
Important: Apache Tomcat denial of service CVE-2023-24998
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
This was fixed with commit cf77cc54.
This issue was reported to the Apache Tomcat Security team on 11 December 2022. The issue was made public on 20 February 2023.
Affects: 9.0.0-M1 to 9.0.70
The latest version of SonarQube v9.9 LTS, v9.9.3, uses Tomcat 9.0.82. I would suggest upgrading to the latest version of the LTS!
Can you tell me which SonarQube versions tie to which Tomcat versions from SonarQube v9.9 through current release? We need to upgrade Tomcat too, and can’t find documenation on tomcat versions tied to SonarQube versions.
@tprettyman I’m going to encourage you to serve yourself that info from SonarQube’s open-source Github repo.