our IT confronted us with the need to update the Apache TomEE immedately on all our KNIME servers to version 7.0.5 because several security issues. As far as I know KNIME server version 4.7 includes only 7.0.4.
What I need is a detailed instruction for the IT on how to update all servers from the currently used 7.0.3 to 7.0.5. The other option offered by the IT is that they switch them off.
The CVE that you link to shouldn’t affect the KNIME Server since we don’t use async requests.
We’ve looked into updating to TomEE 7.0.5, that version came out a few weeks after the KNIME Server 4.7.0 release, and only a few days after we finalised the build for the 4.7.1 patch release.
TomEE 7.0.5 has an open issue: “If we distribute the TomEE with 8.5.32, it will be a problem for users who uses lookups with openejb”. Since OpenEJB is a technology that we use, it may not be possible to update to use TomEE 7.0.5.
What are we doing to solve this?
We’ll be testing with TomEE 7.0.5 just in case.
It looks like TomEE 7.0.6 will fix the open issue with OpenEJB. At that point we will test and release an update, or update instructions.
We’re working to eliminate OpenEJB as a technology that we use (it’s a legacy technology), which will mean that we should be able to transition to a pure Tomcat application server in future.
The IT would like to know how long you will need to test 7.0.5.
Is there the option that the IT does update the TomEE version itself somehow? Can you give advise how to? As we use different server versions which all seem to use 7.0.3 at the moment that would be the fastest approach for us instead of updating all the knime servers.
It’s possible to do those updates to 7.0.5 yourselves, although as mentioned it is quite likely that it will result in a non-functional KNIME Server for the reason outlined in point 3. The update procedure would be to simply unpack the TomEE 7.0.5 download and transfer across the relevant configuration files, then change the launch scripts to use the new TomEE version. As mentioned the specific CVE that you linked in the issue is very unlikely to be an issue for the KNIME Server.
Just following up here. I just spent some time trying to manually do this update to 7.0.5 but without any luck. I believe that confirms the issue that I mentioned previously. So I’d strongly recommend waiting for the 7.0.6 update when that becomes available. At that point KNIME will also look into making the update part of the installer.