1

I have an Ubuntu 18.04.3 server running Tomcat 8.5.39. Because this version is vulnerable to "GhostCat", I'd like to update to the latest version of Tomcat 8 (8.5.57).

However, the latest version doesn't appear to be in the apt repository. Running apt-get upgrade tomcat8 tells me tomcat8 is already the newest version (8.5.39-1ubuntu1~18.04.3). Is there a way to address this?

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
CacheMoney
  • 25
  • 7
  • currently 8.5.51 is in Nixos , https://github.com/NixOS/nixpkgs/blob/84cf00f98031e93f389f1eb93c4a7374a33cc0a9/pkgs/servers/http/tomcat/default.nix – The Unix Janitor Jul 15 '20 at 16:15

2 Answers2

3

The tomcat8 package for bionic (18.04LTS) is currently 8.5.39-1ubuntu1~18.04.3 and focal (20.04LTS) already has tomcat9. You are already at the newest version for your distribution!

You could install packages from another version of Ubuntu, but that might break some dependencies: it makes maintaining your system harder or in worst case renders it useless. You could also compile your own, but in that case, you lose all automatic security updates: either your system becomes vulnerable or you need to compile your Tomcat over and over again.

For everyone who needs to ask this question messing up with the repositories is extremely dangerous and never recommended. If you really needed a newer version for compatibility reasons or the new features provided, you should rather upgrade your whole distribution.

For security updates you should wait until its fixed in the distribution. This is reasoned quite well in DontBreakDebian: Don't suffer from Shiny New Stuff Syndrome, and applies to Ubuntu as well:

Before attempting to install the newest version of some software from somewhere other than the Debian Stable repositories, here are some things to keep in mind:

  • Debian backports security fixes and new features, judging software by comparing the version number of the Debian package to the upstream version number does not take this into account.

  • The latest version of the software you're trying to use might also have new bugs.

  • Installing software from places other than official Debian repositories are not covered by Debian' Security team.

However, upgrading the package is a XY problem, and instead of upgrading you should be...

Addressing the GhostCat (CVE-2020-1938)

The GhostCat is a vulnerability related to default configuration rather than code. From the description for CVE-2020-1938:

Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.

The AJP connector causing the vulnerability is disabled in Ubuntu by default (Comment #1 for bug #1865904). If you have enabled the AJP connector, disabling the connector or limiting access to it should fix the problem.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thank you for this information. It's a big help. What about downloading the tar file for a newer version and upgrading 'manually'? It seems like this would be a huge pain to track down every config file from the old tomcat install and merge those changes over to the new config files. – CacheMoney Jul 15 '20 at 13:58
  • What is your reason to upgrade? What features 8.5.57 has that 8.5.39 doesn't? You do get security updates from Ubuntu, so it has to be a need related to new features. – Esa Jokinen Jul 15 '20 at 13:59
  • I'd like to upgrade to address the GhostCat vulnerability. – CacheMoney Jul 15 '20 at 14:00
  • 1
    @CacheMoney The AJP connector is disabled by default in the Ubuntu package, so there is nothing to do unless you had enabled it. – Michael Hampton Jul 15 '20 at 16:02
  • @MichaelHampton Thanks for the clarification. I've updated my answer as well as edited the question to ask about the actual problem, as this was a XY problem. – Esa Jokinen Jul 15 '20 at 16:52
  • @MichaelHampton Excellent, thank you very much! This is great to know. – CacheMoney Jul 15 '20 at 17:29
0

You either add Tomcat own repo in your repo list (if there is one)

Or you install Tomcat binary (or from sources) from Apache Tomcat web page: HERE ---->>> https://tomcat.apache.org/download-80.cgi

I notice that there is a README HERE ---->>> http://apache.forsale.plus/tomcat/tomcat-8/v8.5.57/README.html

Also, maybe your distro need a update or upgrade in order to include the latest Tomcat version, may be Ubuntu 18.04.3 does not include the latest packages and wont...

Sorry, not a Ubuntu expert.

yield
  • 771
  • 1
  • 9
  • 24