Tomcat vulnerability CVE-2024-56337

Hi,

TeamCity 2024.12.2 is bundled with Tomcat 9.0.98.

Best regards,
Anton

Hi,

>>i see release notes do not capture the Tomcat version
Thanks for pointing this out, it somehow slipped. The updates of bundled tools should be mentioned in the release notes, and I notified the team about it to make sure it won't happen in the future.

>>When will TeamsCity have the Tomcat 9.0.99 or later versions bundled ?
It is currently planned for 2024.12.3.

Best regards,
Anton

Hi Steven,

We had to postpone the bundled Tomcat update to 2024.12.4, but I want to assure you that we're doing all we can to provide the fix as soon as possible.

Anyway, if you are concerned about this vulnerability, you may upgrade the Tomcat version TeamCity uses manually. Please refer to https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat
I recommend you first try running TeamCity on the later version of Tomcat on a test server before making the change on your production instance.

Best regards,
Anton

Hi Christian,

The updated bundled Tomcat will be included with the next release, which is planned for next week. However, the ETA could be changed if additional time is needed to prepare it.
As mentioned above, you may upgrade the Tomcat version TeamCity uses manually. Please refer to https://www.jetbrains.com/help/teamcity/how-to.html#Install+Non-Bundled+Version+of+Tomcat

Best regards,
Anton