So my org had a Tomcat server on version 8.5.30 (I think it was). I recently switched from using OpenVAS in Kali to installing it on a standalone from a script at https://github.com/yu210148/gvm_install. The person in charge of the Tomcat server updated it to 8.5.51 (I think).
I scanned the Tomcat server with the new install of GVM 11 but it still detects the old version of Tomcat, not the new one. The OpenVAS on Kali is also detecting the older version and I have no idea why. When I browse to the IP:8080, I see version 8.5.51 at the top so I know it got updated, any ideas?
The output of “Apache Tomcat Detection (Consolidation)” (OID: 188.8.131.52.4.1.256184.108.40.206652) should give you some additional information about the detection and on what ground the detection was concluded (e.g. concluded from string/URL).
That helped a lot actually! It seems it’s looking at the release-notes.txt and getting the version from there. I’m going to try to update the release notes and rescan and see.
Hello. I have the same problem, but with other version of Tomcat. And changing of this file doesn’t help me, did you solve that problem?
I also got the same issue but now I got the solution. Check the root directory of tomcat where your project is deployed, and remove ROOT and manager directories. Now copy the same ROOT and manager from the updated tomcat release that you have installed. Your issue will be resolved in next scan.
OpenVAS get the version information from these directories.