This is a short story of fixing Tomcat in an EMR cluster. There is a CVE about Tomcat 8 hole. I’m using EMR 5.12.2. Let’s try installing CVE patch as a bootstrap action with

It should fix the mentioned hole but after bringing up the new cluster and running

we can see that it installs version 8.5.29 of tomcat (instead of 8.5.42 or something newer). Why? Let’s SSH into the EMR and check:

So there is no newer version. But if we try applying the CVE patch again we get:

So it was able to update the Tomcat even though the same command run through bootstrap didn’t do it. What’s happening?

Let’s try installing it manually. Add another boostrap action before the AWS script:

Logs show this:

So it could find version 8.5.42 but refused to update it. How to fix that? The solution is to install instead of update. Let’s try this:

And now it works as expected. Unfortunately, installing specific Tomcat version (instead of latest one) is not the best idea but at least this solves the issue.