Security and system vulnerabilities are in the news daily. Some of it may be misleading and some of it may seem incomprehensible or impractical. Oracle Agile Product Lifecycle Management (PLM) is often overlooked when IT security teams evaluate systems and it is not usually considered a client for security patching beyond the supporting operating system. However, Agile PLM is dependent on two significant subsystems: WebLogic and Apache Tomcat. The main Agile PLM server is hosted in a WebLogic virtual machine and the File Manager is hosted in an Apache Tomcat host.

Although it is often recommended to run the latest Apache Tomcat version whenever possible, Agile PLM has been limited to using only the version of Apache Tomcat that came with the original installation. This is because the Agile PLM File Manager uses a rather distinct deployment of Apache Tomcat and although it has been possible to manually update Apache Tomcat in these environments, it has not been supported by Oracle Support and is complex. One of the limiting factors is the support for various Java versions.  Agile PLM version 9.3.3 is certified to use Java 1.6 while Agile PLM 9.3.5 is certified with Java 1.8.  If you attempt to upgrade Apache Tomcat to a version which requires a newer version of Java than that installed with your Agile PLM you risk introducing anything from full system failure to intermittent functionality failures.

Oracle Support has recently rectified this lack of support by releasing update patches for version 9.3.3, 9.3.4 and 9.3.5 of Agile PLM.  The full knowledge base article is titled How Does One Update Apache Tomcat on Agile PLM System? (Doc ID 2230460.1) and is available here: https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=1dgic9gnrc_4&_afrLoop=806344304188787#FIX with an Oracle Support account.

This document details the three patches that are available and describes how to get them and how to apply them. All three patches are General Availability and can be downloaded without a password but do require an active Oracle Support Account.

WHAT DO THE PATCHES CONTAIN?
The Oracle notes do not specify the vulnerabilities that are being patched by these updates but the patches appear to be aimed at the WebDAV class file(s).  The patch for 9.3.5 contains only one update while 9.3.3 and 9.3.4 contain 8 new files each.  This is most likely due to Agile PLM 9.3.3 and 9.3.4 File Managers being based on Tomcat 7 while Agile PLM 9.3.5 is based on Tomcat 8.  WEBDAV is part of the File Manager and enables the ability to upload and download files. The patch for Agile PLM 9.3.4 raises the File Manager to Tomcat 7.0.69 and addresses at least one documented OpenSSL vulnerability as well. Although I cannot currently prove that Apache Tomcat in Agile PLM is demonstrably safer with these updates, patching to a newer and less vulnerable version of Tomcat can hardly be considered a bad thing.

AGILE PLM 9.3.3.0.206 PATCH
The 9.3.3.0.206 patch updates Apache Tomcat to version 7.0.59

The patch has a single prerequisite patch requirement of patch number 9.3.3.30.  However, 9.3.3.0.30 relies on hot fixes 9.3.3.0.144; 9.3.3.0.2; 9.3.3.0.3; 9.3.3.0.15 for installation.

This makes the installation more complex as there are some potential patch incompatibilities if you have other patches installed.  Review the documentation closely and as always, test on a NON-PRODUCTION environment. If your environment has more hot fixes installed (or you need some of the list prerequisites) you need to review the dependencies and incompatibilities closely to determine the exact hot fix path that will be required.

Although I had to install several required patches, the Apache update went without an issue and I would recommend anyone running Agile PLM 9.3.3 to consider the update via Agile PLM Hot Fix 9.3.3.0.206

AGILE PLM 9.3.4.0.137 PATCH
The 9.3.4 patch updates Apache Tomcat to version 7.0.69 and is officially listed as 9.3.4.0.137.  This version of the Apache update hot fix does not have any prerequisite hot fixes although my testing environment already had the following extensive list of hot fixes:

Update Versions=9.3.4.0.1; 9.3.4.0.3; 9.3.4.0.9; 9.3.4.0.2; 9.3.4.0.5; 9.3.4.0.4; 9.3.4.0.24; 9.3.4.0.25; 9.3.4.0.50; 9.3.4.0.97;

The hot fix applied without an issue and the File Manager and app server were fully functional in my testing.  However, I must stress that your combination of hot fixes and other variables may react differently, so test this in a NON-PRODUCTION environment first.

AGILE PLM 9.3.5.0.18 PATCH
The Agile PLM 9.3.5.0.18 patch updates Apache Tomcat to version 8.0.35 and is officially titled 9.3.5.0.18. There are no prerequisites for this patch but again I strongly urge you to test in your environment before deploying to a PRODUCTION system.

INSTALLATION PROCESS - ALL VERSIONS
Installation is the same on all three platforms and if you have Distributed File Managers (DFM) you will have to apply the fix to each DFM as well.

1. Stop the app server and all File Managers.
2. Navigate to [AgileHome]/FileManager directory and delete the "work" directory.
3. Navigate to [AgileHome]/FileManager/webapps directory and delete the "Filemgr" directory.
4. Run the Install_patch.bat (or Install_patch.sh on Linux) to apply the patch.
5. Start the application server.
6. Start the File Manager and test.

These Apache Tomcat patches for Agile PLM are a welcome solution to some of the vulnerabilities that have been known for some time.  For the safety of your Agile PLM system, I recommend testing and implementing these patches as soon as possible. 

Author Bob McDuffee, Certified Ethical Hacker (CEH), has over 30 years experience and is a System Engineer for Zero Wait-State. He is responsible for installing software for clients and overseeing hosted and virtual environments. He provides configuration information for customers and debugs hardware issues both for clients and the company internally. His experience includes implementing, troubleshooting and upgrading PDM systems on Linux, Solaris and Windows servers utilizing both WebLogic and Oracle Application Server.