Jamf Nation Community

Looking at the Tomcat pages I found this:

Apache Tomcat 8.x builds on Tomcat 7.0.x and implements the Servlet 3.1, JSP 2.3, EL 3.0 and Web Socket 1.1 specifications. In addition to that, it includes the following significant improvements: A single, common resources implementation to replace the multiple resource extension features provided in earlier versions.

Also it looks like going from Tomcat 7 to 8 has fully dropped Java 6, going to Java 7/8 support only.

Source

Tomcat shows that 8.0.36 is for Java SE 7 / Tomcat 8.5.4 for Java SE 8, so do you continue supporting the old Java7 Platform - why not going for 8?!

@H3144-IT

According to the Tomcat website, as of version 8.0.x (current version 8.0.36), Tomcat supports Java 7 and later. You have the option to use either Java 7 or Java 8 regardless of which version of Tomcat 8 you are using. It is up to you as the end-user which version you would like to use.

Source

When I upgraded my JSS to 9.93, Our Security team hit me up indicating the following Vulnerabilities. Will the JSS supports the latest Apache build?

Vulnerability Details

CVE : CVE-2009-3560
Title :Multiple Vendor Expat "big2_toUtf8" Buffer Over-Read DoS Vulnerability
TVM Temporal Score 6.6
Description:Remote exploitation of a design error vulnerability in Expat, as included in various vendors' operating system distributions, could allow attackers to create a denial of service (DoS) condition on the targeted host.
Vulnerable Version : Apache Software Foundation: Apache Portable Runtime version prior to 0.9.19 and APR Utility versions prior to 0.9.19, Apache 2.2.16 and prior, Apache 2.0.63 and prior
Fix:http://httpd.apache.org/download.cgi

CVE : CVE-2010-1452
Title :Apache HTTP Server 2.2.15 mod_cache and mod_dav Undisclosed DoS VulnerabilityApache HTTP Server 2.2.15 mod_cache and mod_dav Undisclosed DoS Vulnerability
TVM Temporal Score 6
Description:Remote exploitation of an undisclosed vulnerability in Apache Software Foundation's Apache version 2.2.15 could allow an attacker to cause a denial of service (DoS) condition. * An undisclosed vulnerability exists in Apache mod_cache and mod_dav, which could allow an attacker to cause a DoS condition.
Vulnerable version:Apache Software Foundation's Apache versions 2.0.63 and 2.2.15 are vulnerable.
Fix:http://httpd.apache.org/download.cgi

CVE : 2010-1623
Title :Apache HTTPD: apr_bridage_split_line DoS
TVM Temporal Score 6
Description:Remote exploitation of an unspecified vulnerability in the Apache Software Foundation's APR-util could allow attackers to cause a denial of service (DoS) on a targeted system. * The vulnerability exists in the apr_brigade_split_line() function.
Vulnerable version:AApache Software Foundation: Apache 2.2.16 and prior, Apache 2.0.63 and prior
Fix:http://httpd.apache.org/download.cgi

CVE: CVE-2011-0419
Title :Apache HTTPD: apr_fnmatch flaw leads to mod_autoindex remote DoS (CVE-2011-0419)
TVM Temporal Score 6.6
Description:Remote exploitation of a design error vulnerability in the Apache Software Foundation's Apache Portable Runtime (APR) library, as provided in various operating system distributions, could allow attackers to cause a denial of service (DoS) on a targeted host. * The APR library contains a recursion flaw when processing patterns containing "*"
Vulnerable version:apache:Apache Software Foundation Apache HTTP Server 2.2.18
Fix:http://httpd.apache.org/downloaad

CVE: CVE-2011-3348
Title :Apache HTTPD: mod_proxy_ajp remote DoS (CVE-2011-3348)
TVM Temporal Score 6.4
Description:Remote exploitation of an unspecified vulnerability in versions 2.2.20 and prior of The Apache Software Foundation's httpd could allow attackers to conduct unspecified attacks on the targeted host. * An unspecified vulnerability exists in the mod_proxy_ajp module as made available in httpd. The module is designed to forward http requests to a Tomcat application server using the AJP protocol. Specifically, mod_proxy_ajp fails to return "HTTP_NOT_IMPLEMENTED" for a bad request method ("status" resulting in "AJP_EBAD_METHOD").
Vulnerable version:httpd versions 2.2.20 and prior are vulnerable
Fix:http://httpd.apache.org/download.cgi

CVE: CVE-2013-1896
Title :Apache HTTPD: mod_dav crash (CVE-2013-1896)
TVM Temporal Score 6.6
Description:Remote exploitation of an input validation error vulnerability in versions prior to 2.2.25 of the Apache Software Foundation's HTTP Server could allow attackers to create a denial of service (DoS) condition on the targeted host. * An input validation error vulnerability exists in the mod_dav module available for the HTTP Server. Specifically, the vulnerable module may segmentation fault while processing a MERGE request with a source href pointing to a URI not configured for the DAV.
Vulnerable version:HTTP Server versions prior to 2.2.25 and 2.4.6 are vulnerable. Fix:http://httpd.apache.org/download.cgi

CVE: CVE-2014-0118
Title :Apache HTTPD: mod_deflate denial of service (CVE-2014-0118)
TVM Temporal Score 6
Description:Remote exploitation of a design error vulnerability in multiple versions of the Apache Software Foundation's HTTP Server could allow attackers to create a denial of service (DoS) condition on the targeted host. * A design error vulnerabilty has been identified in Apache HTTP Server. The error exists with the "mod_deflate" filter module. Specifically, when an Apache host has the "request body decompression" setting configured with the "DEFLATE" input filter, an attacker forces the host to consume system resources via a specially crafted request.
Vulnerable version:apache: http_server 2.4.6, 2.4.8, 2.4.7, 2.4.4, 2.4.3, 2.4.9, 2.4.2, 2.4.1, 2.2.27
Fix:http://httpd.apache.org/download.cgi

CVE : CVE-2014-0226
Title :Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)
TVM Temporal Score 6.8
Description:Remote exploitation of a race condition vulnerability in versions prior to 2.4.10 of the Apache Software Foundation's Apache HTTP Server could allow attackers to access sensitive information or execute arbitrary code on the targeted host. * A race condition vulnerability has been identified in Apache HTTP Server. The error occurs because of a race condition in the scoreboard handling in mod_status. This error leads to a heap-based buffer overflow condition.
Vulnerable version:Apache HTTP Server versions 2.4.x prior to 2.4.10, and 2.2.x prior to 2.2.29 are vulnerable Fix:http://httpd.apache.org/download.cgi

CVE: CVE-2014-0231
Title :Apache HTTPD: mod_cgid denial of service (CVE-2014-0231)
TVM Temporal Score 6
Description:Remote exploitation of an input validation error vulnerability in multiple versions of the Apache Software Foundation's HTTP Server could allow attackers to create a denial of service (DoS) condition on the targeted host. * An input validation error vulnerability has been identified in Apache HTTP Server. The error exists with the "mod_cgid" module, which fails to validate user-supplied data. Processing such data can result in a lingering HTTPD child process and a server hang.
Vulnerable version:Apache HTTPD versions prior to 2.4.10 are vulnerable.
Fix:http://httpd.apache.org/download.cgi

CVE:CVE-2015-3183
Title :Apache HTTPD: HTTP request smuggling attack against chunked request parser (CVE-2015-3183)
TVM Temporal Score 6.6
Description:Remote exploitation of a design error vulnerability in the Apache Software Foundation's HTTP Server could allow attackers to create a denial of service (DoS) condition on the targeted host. * A design error vulnerability has been identified in HTTP Server. The error is related to how the chunk headers are parsed.
Vulnerable version:apache: http_server 2.4.13, 2.2.18, 2.2.19, 2.2.0, 2.2.13, 2.2.10, 2.2.11, 2.2.16, 2.2.17, 2.2.14, 2.2.15, 2.2.12, 2.4.8, 2.4.9, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.6, 2.4.7, 2.2.6, 2.2.7, 2.2.4, 2.2.5, 2.4.10, 2.2.3, 2.4.12, 2.2.8, 2.2.9, 2.2.23, 2.2.22, 2.2.21, 2.2.20, 2.2.27, 2.2.24, 2.2.29, 2.2.2