We presently do not patch Apache Tomcat frequently within the Typefi Server for Workgroup package. When we do, we only update using Tomcat LTS releases and the Typefi Server release notes will list that as a change.
There are three common risk mitigation strategies organizations can take:
- Run Typefi Server in an isolated environment, thus reducing exposure.
- Run Typefi Server behind a proxy. This enables additional controls and also reduces exposure.
- Run Typefi Server on your own Tomcat installation. This enables you to run a custom Tomcat config with the level of patching and hardening acceptable to your needs.
If choosing the latter (run Typefi Server on your own Tomcat installation), be aware that Typefi Server includes Tomcat inside its ROOT.WAR file and the Typefi Plugin WAR files found in /webapps/. There are couple of items we have modified to our needs that can be easily reconciled with a custom Tomcat installation, or extended for additional logging, performance settings, etc.:
\Server\conf\server.xml— this is effectively standard config, but it can be modified to suit your needs.
\Server\conf\tomcat-users.xml— this needs a user that is configured in Typefi Server's properties, but it can be changed.
\Server\conf\web.xml— this has several changes that need to be brought into a clean install, they are found towards the end of the file and should be easy to locate.
Alternatively, you can modify the installed Typefi Server config with certain hardening capabilities like advanced logging, and then maintain those changes as you upgrade from one version of Tomcat to the next. Note: this does require that you track those changes since they may be undone in a subsequent Typefi Server update. For this reason we generally do not suggest this as an option.