VMware

tc Runtime Known Vulnerabilities

Last Document Update: 13 NOV 2013

For Apache Tomcat security advisories, see these pages:

The following table shows each supported vFabric tc Server version and the corresponding Apache Tomcat version on which the tc Server version is built. Where noted, an additional fix was made in tc Runtime. See the aforementioned security advisories pages for security information about each version.

tc Server Runtime Version Apache Tomcat Version
2.5.06.0.32 (6.0.32.B)
7.0.12 plus fix for CVE-2011-1582 (7.0.12.A)
2.5.16.0.32 plus fix for CVE-2011-1184 (6.0.32.C)
7.0.16 (7.0.16.A)
2.5.26.0.33 plus fix for CVE-2011-3190 (6.0.33.A)
7.0.20 plus fix for CVE-2011-3190 (7.0.20.B)
2.6.06.0.32 plus fixes for CVE-2011-2204 and CVE-2011-1184 (6.0.32.D)
7.0.19 (7.0.19.A)
2.6.16.0.33 plus fix for CVE-2011-3190 (6.0.33.A)
7.0.20 plus fix for CVE-2011-3190 (7.0.20.B)
2.6.26.0.33 plus fixes for CVE-2011-3190, CVE-2011-3190, and CVE-2011-3375 (6.0.33.B)
7.0.22 (7.0.22.A)
2.6.36.0.35 (6.0.35.A)
7.0.23 (7.0.23.A)
2.6.46.0.35 (6.0.35.A)
7.0.25 (7.0.25.B)
2.6.56.0.35 (6.0.35.A)
7.0.26 (7.0.26.A)
2.7.06.0.35 (6.0.35.B)
7.0.27 (7.0.27.A)
2.7.16.0.35 (6.0.35.B)
7.0.29 (7.0.29.A)
2.7.26.0.35 (6.0.35.B)
7.0.30 (7.0.30.A)
2.8.06.0.35 (6.0.35.B)
7.0.30 (7.0.30.A)
2.8.16.0.36 (6.0.36.A)
7.0.32 (7.0.32.B)
2.8.26.0.36 plus fix for CVE-2013-2067 (6.0.36.B)
7.0.35 (7.0.35.B)
2.9.16.0.36 plus fix for CVE-2013-2067 (6.0.36.B)
7.0.37 (7.0.37.B)
2.9.26.0.37 (6.0.37.A)
7.0.39 plus fix for CVE-2013-2071 (7.0.39.B)
2.9.36.0.37 (6.0.37.A)
7.0.42 (7.0.42.B)
2.9.46.0.37 (6.0.37.B)
7.0.47 (7.0.47.A)

CVE-2009-3548, a vulnerability in Apache Tomcat 6.0.20, does not affect vFabric tc Server because tc Server does not use the Windows installer provided with Tomcat.

CVE-2009-3555, the SSL protocol MITM vulnerability, may be worked around via configuration. Details are provided on the Tomcat 6 security advisories page.

CVE-2011-2729, the Commons Daemon vulnerability, does not affect vFabric tc Server because vFabric tc Server does not use the Commons Daemon service wrapper.