| Author |
Message |
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
 Posted: Wed Dec 01, 2021 7:45 am Post subject: question on Upgrading Apache Tomcat |
 |
|
1. Brekeke Product Name and Version: Advanced Edition 3.10.6.4
2. Java version: Current, but unknown
3. OS type and the version: Windows 2016 64-bit
4. UA (phone), gateway or other hardware/software involved:
5. Your problem:
I'm going to have to upgrade from the current version of Brekeke I have because it bundled Apache Tomcat 9.0.33 and now we need to go to at least 9.0.48 due to more vulnerabilities found.
I'm going to make a backup of the webapps folder, uninstall Brekeke, separately install Apache Tomcat 9.0.55 and then reininstall Brekeke 3.10.6.5 (a slight upgrade) and put the old webapps folder back in place.
Are there any problems with what I just said?
Thank you! |
|
| Back to top |
|
Niloc
Brekeke Talented
Joined: 19 Sep 2017
Posts: 70
Location: NL
|
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Wed Dec 01, 2021 12:08 pm Post subject: |
|
|
Yes I have, and I plan on doing those steps - was just curious if there were any other Gotchas that maybe the guide wouldn't be talking about that people knew to watch for.
Thank you! |
|
| Back to top |
|
ezzadin
Brekeke Junior Member
Joined: 25 May 2011
Posts: 8
|
| Posted: Thu Dec 09, 2021 8:34 am Post subject: |
|
|
| I have done the steps from Wiki many times, and never run into an issue. Make sure to make a copy of conf folder as well just in case. |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Mon Dec 13, 2021 7:10 am Post subject: |
|
|
Does Brekeke SIP Proxy fall prey to the Log4J vulnerability? |
|
| Back to top |
|
Mike
Support Team
Joined: 07 Mar 2005
Posts: 731
Location: Sunny San Mateo
|
| Posted: Mon Dec 13, 2021 6:19 pm Post subject: |
|
|
Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2. |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Tue Dec 14, 2021 6:30 am Post subject: |
|
|
| Mike wrote: |
Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2. |
Thank you very much, Mike! |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Wed Dec 15, 2021 6:31 am Post subject: |
|
|
| Mike wrote: |
Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2. |
My apologies, Mike, but the client just came back with this:
"I need more information I think before I can take that.
First, Log4j v1 is very outdated, and has its own security risks.
Secondly, what does customized have to do with reducing risk?"
Can you address these concerns? |
|
| Back to top |
|
Mike
Support Team
Joined: 07 Mar 2005
Posts: 731
Location: Sunny San Mateo
|
| Posted: Wed Dec 15, 2021 3:38 pm Post subject: |
|
|
If you are using Brekeke SIP Server, it has own logging module instead of Log4j in the product core. So you and your client don't have to worry about it.
Even if you use Brekeke PBX, we use own customized Log4j module (based on ver 1) which blocks any accesses from non-Brekeke products to avoid security risks. |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Thu Dec 16, 2021 7:45 pm Post subject: |
|
|
OK, so I ran into several issues tonight.
1. I made a backup of webapps folder
2. I deleted Brekeke
3. I installed Tomcat 9.0.56 on its own
4. I installed Brekeke
5. I replaced the entire webapps folder (made a backup of the new install).
6. Everything fell apart.
How?
The Brekeke installer for 3.10.6.5 asked if I wanted to install Tomcat. I checked all the instructions about how to use the existing Tomcat I just installed and I'm clearly not technical enough to make that work. So I installed it with Tomcat -- I think this version is older that 9.0.56 though, and will trigger security scans.
Secondly, after I replaced the whole webapps folder and started Brekeke service again, it is showing as version 3.9.4.3, not 3.10.6.5.
That doesn't seem good. I thought maybe it was the sip.war because the old one is from 2019 and the new one is from 2021 but when I replaced the sip.war file, It asked me to activate the license which I could not do because we do an offline activation.
So yeahhhhhh, I feel like I'm between a rock and a hard place and need some help. |
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 286
Location: Japan
|
| Posted: Fri Dec 17, 2021 1:48 pm Post subject: |
|
|
Do you have any reasons to use a Tomcat at least version 9.0.48?
For using a preferred version of Tomcat, please install the Apache Tomcat separately with its Windows installer.
Here are steps.
1. Uninstall Brekeke SIP Server.
2. If you are using Java 8, uninstall it and install Java 11 (Oracle or AdoptOpenJDK)
3. Install Apache Tomcat (it seems you already did it)
Refer to https://docs.brekeke.com/sip/installing-apache-tomcat
4. Access https://www.brekeke.com/downloads/sip-server.php and select "Manual Install (zip)" at [Type of installation].
5. Copy "sip.war" file from downloaded zip file.
6. Install Brekeke SIP Server with "sip.war".
Refer to "2. Installation for Linux" in https://docs.brekeke.com/sip/how-do-i-install-brekeke-sip-server-bss
Last edited by Harold on Fri Dec 17, 2021 1:54 pm; edited 1 time in total |
|
| Back to top |
|
ajlindy
Brekeke Talented
Joined: 12 Sep 2017
Posts: 53
|
| Posted: Fri Dec 17, 2021 1:52 pm Post subject: |
|
|
The client has scanned the server and found that the version of Apache Tomcat has to be 9.0.40 or higher. I thought it would make sense to go to 9.0.56 because that is the latest.
What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
Thank you!
| Harold wrote: |
Do you have any reasons to use a Tomcat at least version 9.0.48?
For using a preferred version of Tomcat, please install the Apache Tomcat separately with its Windows installer.
Here are steps.
1. Uninstall Brekeke SIP Server.
2. If you are using Java 8, uninstall it and install Java 11 (Oracle or AdoptOpenJDK)
3. Install Apache Tomcat (it seems you already did it)
Refer to https://docs.brekeke.com/sip/installing-apache-tomcat
4. Install Brekeke SIP Server with sip.war, not the installer for Windows.
Refer to "2. Installation for Linux" in https://docs.brekeke.com/sip/how-do-i-install-brekeke-sip-server-bss |
|
|
| Back to top |
|
Harold
Brekeke Master Guru
Joined: 21 Sep 2008
Posts: 286
Location: Japan
|
| Posted: Fri Dec 17, 2021 2:00 pm Post subject: |
|
|
ajlindy, I modified the instruction a little. so let you check it.
> What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
The installer of Brekeke SIP Server bundles Tomcat version 9.0.44 but you can use any recent Tomcat versions if you install Tomcat individually and install Brekeke SIP Server manually with "sip.war". |
|
| Back to top |
|
|
