CVE-2017-12617 Apache-Tomcat vulnerability
- Product: Aleph
- Product Version: 20, 21, 22, 23
- Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care
Description
We would like to confirm that ALL our Exlibris products (Primo, Aleph, ARC, SFX, Metalib) are not affected by the CVE-2017-12617 Apache-Tomcat vulnerability (http://cve.mitre.org/cgi-bin/cvename...CVE-2017-12617) .
Resolution
For Primo - not relevant.
For SFX - does not use tomcat at all.
For Aleph and ARC - will be fixed using tomcat 7.0.82; in release by Q4 2017.
Metalib does not use Tomcat, so it is not vulnerable.
For Aleph - SP 22.1.9 (06/Nov/17) (v22 rep_change 2429) and SP 23.1 (07/Aug/17) (v23 rep_change 2035):
Description: Tomcat - moving of Tomcat from Aleph software tree, to 3rd party products.
Till now, Tomcat software is under the Aleph software tree. Therefore each Tomcat upgrade has to be done manually by AIN.
IMPORTANT NOTES:
1. This fix is MANDATORY, it has MANDATORY AIN step.
2. Customers must run "3rd party products update", "Extract" and " Update 3rd party soft links" via the util SP.
Solution: Tomcat software is now handled as third party product, located under Aleph 'product' software tree ($aleph_dev/product/local). From now - any Tomcat update is done via the util SP mechanism.
- Article last edited: 5-Dec-2017