Servoy Forum

[Bernd.N]

The IT department of one of our customers recommended to update the current Tomcat 6.0.37 version, pointing to this documentation that lists some security issues that are fixed in higher versions:
https://tomcat.apache.org/security-6.html

Now there is also Tomcat 7.x and 8.x around, and what I know so far is that those have higher requirements for the Java Version they support, as is listed in the table here:
https://tomcat.apache.org/whichversion.html

Now there will always be security issues in future, and I currently wonder if an update is necessary at once when a new Tomcat version is released and the doc tells that there was another security issue fixed.

I have two questions regaring this:
- When you only run smart clients and no web clients, is a smart client as vulnerable as a web client regarding Tomcat security issues?
- Did you upgrade the Tomcat 6.0.37 version to any higher version, and how difficult is it and what were your experiences?
I mean, "Never change a running system" is a motto one has to think about here, I do not want to cripple a stable running Servoy solution.

[jcompagner]

For a smart client a tomcat is running (with some stuff so that the smart client can get its data)
so if somehow in that setup a default servlet or something else that had a security issue is somehow used then it can be accessed
Because even if you only really run smart client you can still start a webclient that is all enabled.

you should be able to update the applicaiton_server\server\lib dir with the latest tomcat 6.x lib files just fine.
I am not sure if you really can upgrade those easily again to a 7 or even 8 release.