[CVE-2011-2729] - Need help who has knowledge of httpd(mod_jk) and tomcat.

> Hello,
>
> I'd like to know what I should upgrade - tomcat or apache httpd?
>
> CVE pointed out that some of the Tomcat versions on Linux  have vulnerability.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729
>
> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache
> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or
> apache? It's little bit difficult to upgrade opentaps version itself.
>
> It might not be so difficult to upgrade both, but I'd like to make
> sure what's real problem before taking next step.
>
> My doube is, if tomcat is being used through mod_jk, then, the tomcat
> version itself might not be matter. And this mean I do not need to
> upgrade tomcat, but rather need to upgrade apache httpd which would be
> the interface of the server. According to CVE posting, it says I need
> to upgrade to tomcat which include vulnerable version of jsvc. Thus I
> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in
> tomcat & apache both). But I couldn't find what version of jsvc is
> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade
> apache httpd itself as well or not.
>
> Any help would be appreciated. Thank you for reading.
>
> Thank you.
> Soon-Won Park
>

> Apache only talks to mod_jk, not Tomcat, so the version of Apache you
> need is whatever is compatible with your version of mod_jk.
>
> I use Debian Linux, so what I would do first is use Google to work out
> whether the version of Tomcat I want to use requires a specific
> version of mod_jk. If so, I would use Debian's apt-get to ensure I had
> at least that version of mod_jk, and apt-get would automatically
> ensure I had a compatible version of Apache.
>
> Of course, if you don't use a package manager such as apt-get, then
> you'll have to read the release notes for the version you want to use.
> However the documentation for these is usually pretty good at telling
> you if there's some restriction with what version works with what.
>
> I suspect that doesn't answer all of your question, but hopefully it
> gives you a starting point, and maybe someone else can fill in the
> gaps. i don't use Apache/mod_jk these days, having switched to nginx.
>
> Cheers,
> Anne.
>
> On 11 October 2011 01:22, Soon Won Park <[hidden email]> wrote:
>> Hello,
>>
>> I'd like to know what I should upgrade - tomcat or apache httpd?
>>
>> CVE pointed out that some of the Tomcat versions on Linux  have vulnerability.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729
>>
>> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache
>> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or
>> apache? It's little bit difficult to upgrade opentaps version itself.
>>
>> It might not be so difficult to upgrade both, but I'd like to make
>> sure what's real problem before taking next step.
>>
>> My doube is, if tomcat is being used through mod_jk, then, the tomcat
>> version itself might not be matter. And this mean I do not need to
>> upgrade tomcat, but rather need to upgrade apache httpd which would be
>> the interface of the server. According to CVE posting, it says I need
>> to upgrade to tomcat which include vulnerable version of jsvc. Thus I
>> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in
>> tomcat & apache both). But I couldn't find what version of jsvc is
>> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade
>> apache httpd itself as well or not.
>>
>> Any help would be appreciated. Thank you for reading.
>>
>> Thank you.
>> Soon-Won Park
>>
>
>
>
> --
> Coherent Software Australia Pty Ltd
> PO Box 2773
> Cheltenham Vic 3192
> Phone: (03) 9585 6788
> Fax: (03) 9585 1086
> Web: http://www.cohsoft.com.au/
> Email: [hidden email]
>
> Bonsai ERP, the all-inclusive ERP system
> http://www.bonsaierp.com.au/
>