SAP BOBJ Tomcat Vulnerability Fix

SAP BOBJ Tomcat Vulnerability Fix (CVE) — Upgrade Apache Tomcat 9.0.111

Addressing Apache Tomcat vulnerabilities is crucial for maintaining a secure SAP BusinessObjects BI environment. This guide explains how to upgrade to Tomcat 9.0.111 by replacing binaries only — avoiding redeployment while resolving known CVEs efficiently.

Note: At the time of writing this blog, Tomcat 9.0.111 was the latest stable release. You may choose a newer version instead if it specifically addresses the CVE relevant to your environment.

Pre-Upgrade Preparation

  1. Stop the Tomcat service:
    net stop BOEXI140Tomcat
  2. Verify the installation directory:
    C:\Program Files (x86)\SAP BusinessObjects\Tomcat
  3. Back up the following folders:
    • bin, lib, conf
    • Optionally: webapps, work, temp
  4. Ensure Tomcat9w.exe and service configuration remain unchanged.

Download and Extract Tomcat 9.0.111

  1. Download the latest version from Apache Tomcat Downloads.
  2. Extract it to a temporary directory:
    C:\Temp\Tomcat_9.0.111\

Replace Binaries Only

  1. Copy the following: 
    C:\Temp\Tomcat_9.0.111\bin  →  C:\Program Files (x86)\SAP BusinessObjects\Tomcat\bin
C:\Temp\Tomcat_9.0.111\lib  →  C:\Program Files (x86)\SAP BusinessObjects\Tomcat\lib
  2. Choose Replace files in destination when prompted.
  3. Do not overwrite: conf, webapps, logs, or work.
  4. Maintain original folder permissions.

Validate Configuration

  1. Compare the following configuration files:
    • server.xml
    • web.xml
  2. Verify the Tomcat version: 
    cd "C:\Program Files (x86)\SAP BusinessObjects\Tomcat\bin"
version.bat
# Expected output: Apache Tomcat/9.0.111

Restart and Verify

  1. Start the Tomcat service:
    net start BOEXI140Tomcat
  2. Monitor the runtime log:
    C:\Program Files (x86)\SAP BusinessObjects\Tomcat\logs\stderr.log
  3. Confirm BI Launchpad and CMC load correctly via browser.

Post-Upgrade Validation

  • Service Check: Verify BOEXI140Tomcat is running under services.msc.
  • Version Check: version.bat should return Apache Tomcat/9.0.111.
  • Log Check: Look for “Server startup in ... ms” with no SEVERE errors.
  • Application Check:

Rollback (if needed)

  1. Stop the service:
    net stop BOEXI140Tomcat
  2. Restore your backed-up bin and lib folders.
  3. Restart the service and validate recovery.

Conclusion

Upgrading to Apache Tomcat 9.0.111 ensures your SAP BusinessObjects BI 4.x system remains protected against known vulnerabilities (CVE). This lightweight, binary-only method minimizes downtime while maintaining all configurations and services. Always verify newer Tomcat releases as they may address additional CVEs relevant to your deployment.

Tags: SAP BOBJ, Apache Tomcat, CVE, Security Fix, SAP BusinessObjects BI, Tomcat Upgrade, BI 4.x, Vulnerability Patch

Back to blog