We are at 4.3 SP3 and need to update Apache Tomcat as our IT deptartment said there are vulnerabilities. Has anyone upgraded it with success? Can you share the steps?
Can you please post the Vulnerability weblink posted by SAP ? We are planning to upgrade to SP4 and want to check if we need to update our Tomcat too ..
Thanks,
Srinivas
Our IT department said we needed to upgrade TomCat. With upgrade to SP4 -TomCat gets upgraded too - just not sure what version.
this is an article discussing the vulnerabilities. Apache Tomcat Conditional Competition Code Execution Vulnerability (CVE-2024-50379) - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
Have you checked with SAP? Looks like it may not been impacted, kba 2498770.
At our organization we use a separate installation of Apache Tomcat on our BusinessObjects servers and then deploy the BusinessObjects WAR files. This permits upgrading Apache Tomcat independently from BusinessObjects.
You may want to look into changing your process to use an independent install of Apache Tomcat to eliminate the dependency of the packaged version of Apache Tomcat that comes with each BusinessObjects patch/install.
SAP is doing a much better job of integrating updated Tomcat versions, especially as vulnerabilities are disclosed. Instead of simply upgrading Apache Tomcat, I would make the case for applying the latest SAP BusinessObjects service pack. SAP KB 2112338 lists every patch level of BOBJ along with the Apache Tomcat and JVM versions. SAP BI 4.3 SP4 Patch 13+, BI 4.3 SP5+, and BI 2025 Patch 2+ all have Apache Tomcat 9.0.104 (released April 2025). As of this writing, the most recent version on the Apache site is 9.0.107 (released July 2025).