How to fix Tomcat 9.0 vulnerabilities in Pega Platform 8.3.1

General
, , ,
1

Hello,

Our Pega Platform 8.3.1 is running with an embedded Tomcat 9.0.40 version.
This version of Tomcat have several security vulnerabilities.

  • CVE-2021-25329 => vulnerability fixed in 9.0.42
  • CVE-2021-33037 => vulnerability fixed in 9.0.47
  • CVE-2021-30640 => vulnerability fixed in 9.0.47
  • CVE-2021-42340 => vulnerability fixed in 9.0.54.

Currently, the last version of Tomcat 9.0 is 9.0.59.

How can we update the Tomcat 9.0 version in Pega Platform 8.3.1 ?
Can PEGA provides us a security hotfix with Tomcat 9.0.59 version ?
Or at least with 9.0.54 version ?

PEGA support redirects me here.

Thank you

2

@FabienT92 I believe Pega Support directed you to the forum as you are not running a platform stack as per the support guidelines.

According to the Platform Support Guide Pega 8.3.1 can run on any Apache Tomcat 9.x version (using Java 8)

Also see the Pega Platform Support Guide Resources

Can you please clarify your platform stack to explain how you are using the embedded Tomcat?

Which official Installation documentation are you using during installation?

According to this article , I am not sure if Pega officially support Pega 8.x versions with embedded App Servers (eg Springboot)

The security vulnerabilities you are listing are specific to those Tomcat versions. As this is not tied to a hard-coded 3rd party tool used within Pega there are therefore no hotfixes for that.

Vulnerabilities with included 3rd party software is dealt with as per the documentation such as listed here. and here

If you’re looking to package up Pega like Springboot does, it will be easier to use the official Docker images. See Using Pega-provided Docker images.

Available here.

This is official, although quite new, but may let you do what you want with less work.