Dealing with "Upgrade your Java/Tomcat/PHP/Python versions on App Service"

You may have received Security recommendations for your App Services similar to the one shown below:

"Upgrade your Java and Tomcat versions on App Service to continue receiving critical security updates.

You're receiving this email because you currently use an outdated version of Java or Tomcat on App Service."

Not just for Java, you may receive these notifications for other stacks like PHP, Python, .NET etc. These recommendations do not provide a list of Apps in your subscription that are non-compliant (in this case, apps using outdated Java or Tomcat version). To take proper action on this recommendation, you will first need to find out what Java versions are used by your Apps. This article discusses how you can obtain this information using Azure CLI.

Step #1:

Login to Azure CLI and ensure you’re signed into the right account:

• az login
• az account show

You can alternatively use Azure Cloud Shell: https://docs.microsoft.com/en-us/azure/cloud-shell/quickstart.

Run this command to set the subscription you’ll be working with:

• az account set --subscription 'my-subscription-name'

The commands used in this article are demonstrated using Azure Cloud Shell.

Step #2:

The basic idea is to query the Java and Tomcat versions using javaVersion, javaContainer, and javaContainerVersion properties on the Microsoft.Web/sites/config object on Windows sites. On Linux sites, you can query the LinuxFxVersion property on the site object.

• az webapp list --query '[*].id' -o tsv | az webapp config show --ids - --query '[].{ResourceID:id, javaVersion: javaVersion, javaContainer:javaContainer, javaContainerVersion: javaContainerVersion, linuxFxVersion: linuxFxVersion}' -o table

Here’s a sample output of this command for my subscription:

For other stacks:

To do the same for other stacks, just run the command below for any of your Apps and check the respective parameter to query:

• az webapp config show --ids "/subscriptions/<subID>/resourceGroups/<RGName>/providers/Microsoft.Web/sites/<AppName>" 

You will see parameters like:

"phpVersion"

  "pythonVersion"

  "netFrameworkVersion"

  "nodeVersion"

You can use these in the query above and customize it to get more granular results. Here are some samples:

• az webapp list --query '[*].id' -o tsv | az webapp config show --ids - --query '[].{ResourceID:id, phpVersion: phpVersion, linuxFxVersion: linuxFxVersion}' -o table
• az webapp list --query '[*].id' -o tsv | az webapp config show --ids - --query '[].{ResourceID:id, pythonVersion: pythonVersion, linuxFxVersion: linuxFxVersion}' -o table
• az webapp list --query '[*].id' -o tsv | az webapp config show --ids - --query '[].{ResourceID:id, netFrameworkVersion: netFrameworkVersion, linuxFxVersion: linuxFxVersion}' -o table

Step #3:

Repeat the above steps for all the subscriptions that received the notification.

Step #4:

Upgrade your Java or Tomcat version as needed: Java, Tomcat, and JBoss EAP version updates - Azure App Service

Reference Documents:

If you want to play around with the query further and alter it to suit your needs, here are some documents I found helpful:

• https://docs.microsoft.com/en-us/cli/azure/query-azure-cli
• https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively
• https://docs.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az_webapp_config_show

I hope this helps! Happy CLI-ing 😊