1. Brekeke Product Name and Version: Advanced Edition 3.10.6.4
2. Java version: Current, but unknown
3. OS type and the version: Windows 2016 64-bit
4. UA (phone), gateway or other hardware/software involved:
5. Your problem:
I'm going to have to upgrade from the current version of Brekeke I have because it bundled Apache Tomcat 9.0.33 and now we need to go to at least 9.0.48 due to more vulnerabilities found.
I'm going to make a backup of the webapps folder, uninstall Brekeke, separately install Apache Tomcat 9.0.55 and then reininstall Brekeke 3.10.6.5 (a slight upgrade) and put the old webapps folder back in place.
Are there any problems with what I just said?
Thank you!
question on Upgrading Apache Tomcat
Moderator: Brekeke Support Team
Hi ajlindy,
Have you looked at the following wiki topic "How to update web server (Apache Tomcat)" ?
https://docs.brekeke.com/sip/update-web-server
Have you looked at the following wiki topic "How to update web server (Apache Tomcat)" ?
https://docs.brekeke.com/sip/update-web-server
Yes I have, and I plan on doing those steps - was just curious if there were any other Gotchas that maybe the guide wouldn't be talking about that people knew to watch for.Niloc wrote:Hi ajlindy,
Have you looked at the following wiki topic "How to update web server (Apache Tomcat)" ?
https://docs.brekeke.com/sip/update-web-server
Thank you!
Niloc wrote:Hi ajlindy,
Have you looked at the following wiki topic "How to update web server (Apache Tomcat)" ?
https://docs.brekeke.com/sip/update-web-server
Does Brekeke SIP Proxy fall prey to the Log4J vulnerability?
Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-d ... 2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-d ... 2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2.
Thank you very much, Mike!Mike wrote:Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-d ... 2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2.
My apologies, Mike, but the client just came back with this:Mike wrote:Log4j packages we are using in our product are not affected by the vulnerability called CVE-2021-44228.
There are two Log4j packages in the product.
- Log4j bundled in the GUI part (Tomcat).
It is not affected because it is the customized Log4j (not default).
Please refer to https://bishopfox.com/blog/log4j-zero-d ... 2021-44228 for more details.
- Log4j bundled in the product core.
It is not affected because it is Log4j version 1, not version 2.
"I need more information I think before I can take that.
First, Log4j v1 is very outdated, and has its own security risks.
Secondly, what does customized have to do with reducing risk?"
Can you address these concerns?
If you are using Brekeke SIP Server, it has own logging module instead of Log4j in the product core. So you and your client don't have to worry about it.
Even if you use Brekeke PBX, we use own customized Log4j module (based on ver 1) which blocks any accesses from non-Brekeke products to avoid security risks.
Even if you use Brekeke PBX, we use own customized Log4j module (based on ver 1) which blocks any accesses from non-Brekeke products to avoid security risks.
OK, so I ran into several issues tonight.Niloc wrote:Hi ajlindy,
Have you looked at the following wiki topic "How to update web server (Apache Tomcat)" ?
https://docs.brekeke.com/sip/update-web-server
1. I made a backup of webapps folder
2. I deleted Brekeke
3. I installed Tomcat 9.0.56 on its own
4. I installed Brekeke
5. I replaced the entire webapps folder (made a backup of the new install).
6. Everything fell apart.
How?
The Brekeke installer for 3.10.6.5 asked if I wanted to install Tomcat. I checked all the instructions about how to use the existing Tomcat I just installed and I'm clearly not technical enough to make that work. So I installed it with Tomcat -- I think this version is older that 9.0.56 though, and will trigger security scans.
Secondly, after I replaced the whole webapps folder and started Brekeke service again, it is showing as version 3.9.4.3, not 3.10.6.5.
That doesn't seem good. I thought maybe it was the sip.war because the old one is from 2019 and the new one is from 2021 but when I replaced the sip.war file, It asked me to activate the license which I could not do because we do an offline activation.
So yeahhhhhh, I feel like I'm between a rock and a hard place and need some help.
Do you have any reasons to use a Tomcat at least version 9.0.48?
For using a preferred version of Tomcat, please install the Apache Tomcat separately with its Windows installer.
Here are steps.
1. Uninstall Brekeke SIP Server.
2. If you are using Java 8, uninstall it and install Java 11 (Oracle or AdoptOpenJDK)
3. Install Apache Tomcat (it seems you already did it)
Refer to https://docs.brekeke.com/sip/installing-apache-tomcat
4. Access https://www.brekeke.com/downloads/sip-server.php and select "Manual Install (zip)" at [Type of installation].
5. Copy "sip.war" file from downloaded zip file.
6. Install Brekeke SIP Server with "sip.war".
Refer to "2. Installation for Linux" in https://docs.brekeke.com/sip/how-do-i-i ... server-bss
For using a preferred version of Tomcat, please install the Apache Tomcat separately with its Windows installer.
Here are steps.
1. Uninstall Brekeke SIP Server.
2. If you are using Java 8, uninstall it and install Java 11 (Oracle or AdoptOpenJDK)
3. Install Apache Tomcat (it seems you already did it)
Refer to https://docs.brekeke.com/sip/installing-apache-tomcat
4. Access https://www.brekeke.com/downloads/sip-server.php and select "Manual Install (zip)" at [Type of installation].
5. Copy "sip.war" file from downloaded zip file.
6. Install Brekeke SIP Server with "sip.war".
Refer to "2. Installation for Linux" in https://docs.brekeke.com/sip/how-do-i-i ... server-bss
Last edited by Harold on Fri Dec 17, 2021 1:54 pm, edited 1 time in total.
The client has scanned the server and found that the version of Apache Tomcat has to be 9.0.40 or higher. I thought it would make sense to go to 9.0.56 because that is the latest.
What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
Thank you!
What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
Thank you!
Harold wrote:Do you have any reasons to use a Tomcat at least version 9.0.48?
For using a preferred version of Tomcat, please install the Apache Tomcat separately with its Windows installer.
Here are steps.
1. Uninstall Brekeke SIP Server.
2. If you are using Java 8, uninstall it and install Java 11 (Oracle or AdoptOpenJDK)
3. Install Apache Tomcat (it seems you already did it)
Refer to https://docs.brekeke.com/sip/installing-apache-tomcat
4. Install Brekeke SIP Server with sip.war, not the installer for Windows.
Refer to "2. Installation for Linux" in https://docs.brekeke.com/sip/how-do-i-i ... server-bss
ajlindy, I modified the instruction a little. so let you check it.
> What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
The installer of Brekeke SIP Server bundles Tomcat version 9.0.44 but you can use any recent Tomcat versions if you install Tomcat individually and install Brekeke SIP Server manually with "sip.war".
> What version of Tomcat do both Brekeke 3.10.6.4 and 3.10.6.5 run?
The installer of Brekeke SIP Server bundles Tomcat version 9.0.44 but you can use any recent Tomcat versions if you install Tomcat individually and install Brekeke SIP Server manually with "sip.war".