ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is CABI Jaspersoft vulnerable by CVE-2020-1938 "GhostCat" vulnerability?

book

Article ID: 185860

calendar_today

Updated On:

Products

CA Spectrum ServiceDesk Server Management Suite Clarity PPM On Premise DX NetOps

Issue/Introduction

Is CABI Jaspersoft vulnerable by CVE-2020-1938 "GhostCat" vulnerability?

Cause

Out of the box, CABI Jaspersoft is vulnerable by this GhostCat vulnerability.

However, this is only due to TIBCO leaving the connector on - though it is not used by Broadcom products.

Environment

All CABI Jaspersoft Versions

Resolution

The AJP Connector can be commented out / removed from the server.xml file for CABI Jaspersoft without affecting the product and it's integration with Broadcom Products.

simply comment out the AJP connector from the */conf/server.xml file:

 


.....
 
windows default path::   C:\Program Files\CA\SC\CA Business Intelligence\apache-tomcat\conf\server.xml
 
<?xml version="1.0" encoding="UTF-8" standalone="no"?><Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
  <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
  <GlobalNamingResources>
    <Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" type="org.apache.catalina.UserDatabase"/>
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
	<!--
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
	-->
    <Engine defaultHost="localhost" name="Catalina">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
      </Realm>
      <Host appBase="webapps" autoDeploy="true" name="localhost" startStopThreads="-1" unpackWARs="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>
      </Host>
    </Engine>
  </Service>
</Server>
 
 
 
..

Additional Information

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

 

Note: CABI 7.9.1 ships with Apache Tomcat/8.5.64 which is not vulnerable

Attachments