/usr/sbin/httpd -v Server version: Apache/2.4.37 (Oracle Linux) Server built: Oct 24 2023 23:52:21
Currently running with tomcat version 2.4.37 and am getting a flag from security that I need it updated asap. I’m having issues updating foreman to 3.9 (currently running 3.8) per these instructions:
So I figured for the time being, if it was possible and painless, I would just update Tomcat. Is this possible or does the version of tomcat need to come with new foreman version?
Tomcat packages are not provided by Foreman, the come from the OS repos, so unless you hit some weird bug, updating tomcat alone should be safe. Just for good measure, and to ensure you do not run into any problems that might arise from package updates dropping any new config files (like updates of httpd do), I recommend running foreman-installer after any package updates.
First 2.4.37 is the version of apache httpd not tomcat. Second, that version is the latest and it’s safe. What exactly has been “flagged” about this version?
You cannot upgrade a foreman server using the repositories from the same server. It breaks. The server cannot download from itself it it’s not running.
You have to disable the subscription manager plugin and enable/setup all the OS repos and foreman/katello repos using the repos/release rpms.
Ok so it looks like I got confused in my original post as to the versions on the server. I wasnt expecting the server to have both apache and tomcat services running
Doesnt look like the server is getting flagged for its current version of Apache but it is for its current version of Tomcat. Is Tomcat even needed? I have the service stopped currently and the server seems to run perfectly fine. If its not needed, and to satisfy security for now, I could just remove Tomcat. After that I could work on the repository issue.
It may, I haven’t read that far into the report for all the bugs associated with the Tomcat version. If Tomcat isnt needed on the foreman server I’ll just remove it. It may have been installed inadvertently at the time of initial set up. Do you know if Tomcat is needed for a foreman server? I cant imagine it would need 2 web server apps to function.
Again: if you are just looking at the version numbers, you cannot run RHEL or Alma or Rocky or OL. If you don’t trust RedHat to provide safe software, don’t use it.
But that is not how it works. RedHat backports security fixes into old versions to make them secure.
Tomcat isn’t a web server. It’s a servlet container. Katello requires candlepin, which runs in tomcat. Don’t mess with the foreman installation. You just break it and foreman-installer will reinstall it after the next update.
So unless the security scanner isn’t referring to a specific RedHat rpm version (considering all the patches applied to the original version) the report is a false positive.
If there is a newer version available from the repo that is. If not, I see your point. Its most likely a false positive from Tenable because all it is looking at is the version and its assuming it should be the same as other servers running Tomcat and Apache…
If there is a new version of any installed rpm in the repos you should of course update. And usually run foreman-installer again.
But don‘t try to replace the rpms from the os repos with other versions from elsewhere. It most likely breaks because a new version (number) is often not 100% compatible to the older version, therefore requiring some configuration changes which foreman doesn‘t know about…
If you are running the Katello setup, then tomcat is needed for Candlepin. Right now we use tomcat by another name pki-servlet-engine which is not getting many updates. In CentOS Stream 8 a change has landed that will swap our deployments to using the named tomcat package which gets updates. This change will then propagate through to RHEL and the various rebuilders are on their schedules.
Candlepin is also who Katello proxies requests to when when you run subscription-manager commands on a host. It also keeps track of things like content views and lifecycle environments assigned to the host, content overrides, system purpose attributes, etc. So Candlepin will be needed for the foreseeable future, even with SCA.