Can Tomcat be updated independently?

/usr/sbin/httpd -v
Server version: Apache/2.4.37 (Oracle Linux)
Server built: Oct 24 2023 23:52:21

Currently running with tomcat version 2.4.37 and am getting a flag from security that I need it updated asap. I’m having issues updating foreman to 3.9 (currently running 3.8) per these instructions:

Upgrading Foreman to 3.9

Because I’m getting this error that I cant get around:

[root@systemname] yum.repos.d]# dnf update
Updating Subscription Management repositories.
Foreman 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘EROS_OEL8_Foreman’:

So I figured for the time being, if it was possible and painless, I would just update Tomcat. Is this possible or does the version of tomcat need to come with new foreman version?

Tomcat packages are not provided by Foreman, the come from the OS repos, so unless you hit some weird bug, updating tomcat alone should be safe. Just for good measure, and to ensure you do not run into any problems that might arise from package updates dropping any new config files (like updates of httpd do), I recommend running foreman-installer after any package updates.

Thanks! Oddly Apache is also installed on this server. Can Apache be updated independently as well?

First 2.4.37 is the version of apache httpd not tomcat. Second, that version is the latest and it’s safe. What exactly has been “flagged” about this version?

You cannot upgrade a foreman server using the repositories from the same server. It breaks. The server cannot download from itself it it’s not running.

You have to disable the subscription manager plugin and enable/setup all the OS repos and foreman/katello repos using the repos/release rpms.

Ok so it looks like I got confused in my original post as to the versions on the server. I wasnt expecting the server to have both apache and tomcat services running

Doesnt look like the server is getting flagged for its current version of Apache but it is for its current version of Tomcat. Is Tomcat even needed? I have the service stopped currently and the server seems to run perfectly fine. If its not needed, and to satisfy security for now, I could just remove Tomcat. After that I could work on the repository issue.

Candlepin handles the subscriptions. I am not sure if it is still really needed with SCA.

Either way: what exactly is flagged about the EL8 tomcat version? It’s from the OS repos. It gets patched even if the version number looks old.

Tenable is flagging Tomcat for being a version older than 9.0.86.

But simply checking version numbers doesn’t work on RedHat derivates: security updates get back ported into the distro version.

If you were only checking software versions on a EL OS it should have a lot of bugs and issues.

It may, I haven’t read that far into the report for all the bugs associated with the Tomcat version. If Tomcat isnt needed on the foreman server I’ll just remove it. It may have been installed inadvertently at the time of initial set up. Do you know if Tomcat is needed for a foreman server? I cant imagine it would need 2 web server apps to function.

Again: if you are just looking at the version numbers, you cannot run RHEL or Alma or Rocky or OL. If you don’t trust RedHat to provide safe software, don’t use it.

But that is not how it works. RedHat backports security fixes into old versions to make them secure.

Just look at Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project If you are just looking at the version number 2.4.37 of httpd that you have you’d have a long list of issues. Same applies to the tomcat/jsp rpm candlepin is using.

Tomcat isn’t a web server. It’s a servlet container. Katello requires candlepin, which runs in tomcat. Don’t mess with the foreman installation. You just break it and foreman-installer will reinstall it after the next update.

So unless the security scanner isn’t referring to a specific RedHat rpm version (considering all the patches applied to the original version) the report is a false positive.

Don’t break the system…

1 Like

Thats the answer I needed. The install needs Tomcat. I’ll work on getting it updated.


If there is a newer version available from the repo that is. If not, I see your point. Its most likely a false positive from Tenable because all it is looking at is the version and its assuming it should be the same as other servers running Tomcat and Apache…

If there is a new version of any installed rpm in the repos you should of course update. And usually run foreman-installer again.

But don‘t try to replace the rpms from the os repos with other versions from elsewhere. It most likely breaks because a new version (number) is often not 100% compatible to the older version, therefore requiring some configuration changes which foreman doesn‘t know about…

If you are running the Katello setup, then tomcat is needed for Candlepin. Right now we use tomcat by another name pki-servlet-engine which is not getting many updates. In CentOS Stream 8 a change has landed that will swap our deployments to using the named tomcat package which gets updates. This change will then propagate through to RHEL and the various rebuilders are on their schedules.


Candlepin is also who Katello proxies requests to when when you run subscription-manager commands on a host. It also keeps track of things like content views and lifecycle environments assigned to the host, content overrides, system purpose attributes, etc. So Candlepin will be needed for the foreseeable future, even with SCA.