BusinessConnect's Gateway Server contains catalina.jar 9.0.83, which is a jar impacted by this vulnerability.   If you wish to update the Gateway Server for this specific reason, follow the instructions below.

all platforms

To resolve this issue,  catalina.jar 9.0.98 must be installed.

BusinessConnect's Gateway Server (gsengine) uses this jar file separately from the TIBCO Administrator.  To upgrade the GS to support 9.0.98:

1. Stop the GS.
2. Install BusinessConnect 7.4.0 Hotfix 3 which will install catalina.jar 9.0.96 into the $BC_HOME/hotfix/lib directory.

3. Back up the existing hotfix/lib directory.

4. Delete all the files in the hotfix/lib directory EXCEPT FOR THESE FILES:

        - configstore-bc.jar
        - configstore-core.jar
        - gateway.jar
        - apache-mime4j-core-0.8.9.jar
        - axiom-api-1.4.0.jar
        - axiom-dom-1.4.0.jar
        - axiom-impl-1.4.0.jar
        - axis2-adb-1.8.2.jar
        - axis2-jaxws-1.8.2.jar
        - axis2-kernel-1.8.2.jar
        - axis2-saaj-1.8.2.jar
        - neethi-3.2.0.jar
        - TIBCrypt.jar
        - tibcryptx_pswd.jar

5. From the Tomcat 9.0.98 distribution, copy all the files from the distribution's lib directory into BC's hotfix/lib directory.

6. Restart the GS

Vulnerability CVE-2025-24813 has been announced which concerns catalina.jar versions prior to 9.0.98. BusinessConnect 7.4.0 Gateway Server uses this jar file.  Although the Gateway Server is not impacted by this vulnerability, customers may want to upgrade the catalina.jar file for compliance reasons. This article describes how to update BusinessConnect.