Stop chasing zero-days. Learn to check, patch, and harden Apache Tomcat on Ubuntu, Rocky, SUSE. Includes automation scripts & iptables mitigation. Stay secure long-term.
Don’t let another CVE ruin your weekend.
On April 15, 2026, openSUSE released an update fixing 10 Tomcat vulnerabilities (including CVE-2026-29146 and CVE-2026-34486 with CVSS up to 8.7). But the date is just history – Tomcat will have more flaws next year. What matters is having a repeatable process.
This guide gives you commands, scripts, and workarounds that work today and six months from now.
How to Check If You Are Vulnerable
Run these commands on your server right now. They check your Tomcat version against known-bad releases.
dpkg -l | grep tomcat11 # or for older Tomcat 9: dpkg -l | grep tomcat9
Rocky Linux / RHEL / CentOS (yum/dnf)
rpm -qa | grep tomcat # Detailed version: dnf list installed tomcat*
SUSE Linux Enterprise / openSUSE (zypper)
zypper search --installed-only tomcat # Show exact version: zypper info tomcat11
What to look for:
If your Tomcat 11 version is older than 11.0.21-1.1, you’re exposed to at least one of the 10 CVEs. For Tomcat 9 or 10, check the Apache Tomcat security page – but the same process applies.
Automation Script to Apply the Fix
Save this as patch-tomcat.sh and run it on any major distro. It detects the package manager, updates Tomcat, and restarts the service
#!/bin/bash # Evergreen Tomcat patcher – works on Ubuntu, Rocky, SUSE set -e if command -v apt &> /dev/null; then echo "Detected Ubuntu/Debian" apt update apt upgrade -y tomcat11 tomcat11-admin-webapps systemctl restart tomcat11 elif command -v dnf &> /dev/null; then echo "Detected Rocky/RHEL" dnf update -y tomcat systemctl restart tomcat elif command -v zypper &> /dev/null; then echo "Detected SUSE" zypper refresh zypper update -y tomcat11 systemctl restart tomcat11 else echo "Unsupported distro – manual update required" exit 1 fi echo "Tomcat updated. Current version:" sudo -u tomcat sh -c 'catalina.sh version' | grep "Server number"
Alternative Mitigation (If You Can’t Update Now)
# Block remote disclosure attempts (common for these CVEs) iptables -A INPUT -p tcp --dport 8080 -m string --string "..;/" --algo bm -j DROP iptables -A INPUT -p tcp --dport 8080 -m string --string "/WEB-INF" --algo bm -j DROP
Save rules (persist across reboot):
# Ubuntu iptables-save > /etc/iptables/rules.v4 # Rocky service iptables save # SUSE iptables-save > /etc/sysconfig/iptables
AppArmor – Confine Tomcat (works on Ubuntu & SUSE)
aa-genprof tomcat11
# Then follow prompts to restrict file access – specifically block read from /WEB-INF/
Reverse Proxy Workaround (nginx/haproxy)
If you have a proxy in front of Tomcat, filter malicious paths:
# nginx location block location ~* (\.\./|/WEB-INF/) { return 403; }
Suggested reading
Why this ebook is important :
This ebook covers modsecurity, connector hardening, and the exact privilege separation that stops exploits like CVE-2026-34487.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.)
Nenhum comentário:
Postar um comentário