Apache Tomcat does not appear in the scan results
When Software Vulnerability Manager (SVM) scans a device, which has Apache Tomcat webserver installed, the scan results do not show Tomcat to be installed on that device.
Software Vulnerability Manager looks for exe, dll and ocx binary file extensions while scanning a device. The metadata in the PE header of these files is used to tie them back to their respective product and version.
Apache Tomcat has two installer formats for Windows platform – ZIP and EXE. Upon installing the ZIP format installer on a device, it is seen that there are no exe, dll or ocx files in the install directory. It clearly appears that the ZIP format of the installer does not include any of the binary file formats which SVM can recognize therefore SVM fails to identify Tomcat during scanning a device which has ZIP format installed.
The EXE format of the installer installs two .exe files in the install directory. However, the Product Version obtained from the PE header of these files does not match the actual version of Tomcat installed on the device, therefore SVM does not know which version of the product these files belong to and so cannot identify a version of Tomcat installed. As a result, Tomcat will not appear in SVM scan results.
For instance: Tomcat.exe and Tomcat10w.exe are the two binary files installed by Tomcat version 10.0.5.0. However, the Product Version seen in the PE header of these two files is 18.104.22.168.
The PE header meta data of the binary files installed by any product on a device plays a very crucial role in identifying the correct product name and the version installed. Tomcat’s either missing binary files, or (when present) offers unreliable identification data resulting in SVM’s failure to correctly identify the presence of any Tomcat versions on a device. If interested, we encourage customers to reach out to the creators of Apache Tomcat to fix the version information in binary files to align with the product version installed on a device. Currently there no work around available in SVM to address this deficiency.