Due to a reported vulnerability in Tomcat we recommend that you upgrade to Tomcat 8.5.66 (14.5 only). Download the files here.
**IMPORTANT** we have tested Tomcat 8.5.66. If you upgrade to a higher Tomcat version that we haven't tested you may encounter issues.
Version 15.0 includes Tomcat 9.0.x support and updates to a version that addresses these vulnerabilities automatically with our latest 15.0.8 upgrade file. Please contact Support at firstname.lastname@example.org for the file.
This documentation covers upgrading Apache Tomcat manually.
Upgrading the Core Libraries
The core libraries are the easiest part of Tomcat to update, and generally, this is all that's needed to take advantage of the latest bug fixes, new features, and security updates. Occasionally, more than just the libraries will need to be updated, but this varies by update, so watch the release notes to see if anything outside the core libraries was updated (e.g. web applications, windows service, controls, etc.).
To update the Tomcat libraries, take the following steps:
STEP 1 - Shut Down Lucee/Tomcat
It could be problematic to copy over libraries while the server that utilizes them is still running, so stop the Lucee/Tomcat service on the web server before proceeding with the update.
STEP 2 - Download and Unzip Tomcat
- Download the Tomcat Core zip file.
- Once you download and unzip it, you should see a "lib" directory in the unzipped files
STEP 3 - Create a Backup
By default, Lucee is installed to C:\lucee or C:\sqbox\lucee which means that the Tomcat libraries are going to be located in C:\lucee\tomcat\lib or C:\sqbox\lucee\tomcat\lib.
We need to copy the files from the core lib directory that we just downloaded to the lib directory inside the installed Tomcat directory. Before we do that, it would be wise to copy the C:\lucee\tomcat\lib or C:\sqbox\lucee\tomcat\lib directory to use as a backup in case anything goes wrong. You can do that by running the following command:
cp C:\lucee\tomcat\lib\ C:\lucee\tomcat\lib-bak\
cp C:\sqbox\lucee\tomcat\lib\ C:\sqbox\lucee\tomcat\lib-bak\
STEP 4 - Copy Libraries Over
Once the backup of the lib directory has been created, copy the .jar files from the core /lib directory that was just downloaded to the lib directory inside the installed Tomcat (C:\lucee\tomcat\lib or C:\sqbox\lucee\tomcat\lib) directory.
Notice that our current install of Tomcat has files/folders in addition to the jar files we will be copying over. You won't want to delete these files/folders unless you are upgrading them as well.
STEP 5 - Create Secret Phrase
- Choose a phrase to use as a shared secret. For this example, I'm using "someSecret".
- In the Lucee installation directory, in lucee/tomcat/conf directory, edit the file server.xml.
- On the line after <!-- Define an AJP 1.3 Connector on port 8009 -->, add your new secret with secret="someSecret" into the tag. Save the file. It will look something like this:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secret="someSecret" />
- Locate the file called "BonCodeAJP13.settings", usually located in the C:\Windows directory. Edit with administrative permissions. Create a new line after the </ModCFMLSecret> entry. Add <RequestSecret>someSecret</RequestSecret> in the empty line. Save the file.
- Restart the Lucee service and perform an IIS reset.
Replace someSecret where it appears in the instructions above with your own secret phrase.
STEP 6 - Start Tomcat and Check Version
Start up the Lucee/Tomcat service on the webserver again. From the Lucee web admin check the version of tomcat. This information is found within the General Information in the Servlet Container value