Impact of Ghostcat (CVE-2020-1938) with Service Management r17.x
search cancel

Impact of Ghostcat (CVE-2020-1938) with Service Management r17.x

book

Article ID: 186049

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Catalog CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Service Management - Service Desk Manager CA Service Management - Asset Portfolio Management

Issue/Introduction

Do Service Desk Manager/Service Catalog/IT Asset Manager get impacted by Ghostcat vulnerability (CVE-2020-1938

Environment

Release: 17.1 or higher
Component:  CA Service Desk Manager

Resolution

CA Service Desk Manager:

We do not depend on AJP protocol out of the box in Service Desk Manager.  Service Catalog's might be used when its made part of out of the box cluster configuration.

Out of the box, the following are the main Tomcat engines that SDM offers.

Main SDM Tomcat install:  NX_ROOT/bopcfg/www/CATALINA_BASE
Federated Search:  NX_ROOT/bopcfg/www/CATALINA_BASE_FS 
REST Web Services:  NX_ROOT/bopcfg/www/CATALINA_BASE_REST
Support Automation: NX_ROOT/bopcfg/www/CATALINA_BASE_SA (deprecated as of SDM 17.3 and excluded in 17.4)
CMDB Visualizer:  NX_ROOT/bopcfg/www/CATALINA_BASE_VIZ
REST Reporting:  NX_ROOT/bopcfg/www/CATALINA_BASE_RPT (introduced in SDM 17.4 RU4)

 

CA IT Asset Manager:

ITAM itself does not directly use Tomcat as it is an IIS application.  Shared components such as AMS do rely on Tomcat but is not known to use AJP.  AMS install is located in X:\Program Files (x86)\CA\SharedComponents\AMS\

 

CA Service Catalog:

AJP connector can be disabled so that the exposure of this vulnerability does not happen.

Commenting of the AJP connector can be done like indicated in below example on any Tomcat's server.xml files.  There are two server.xml files in Catalog:

C:\Program Files\CA\Service Catalog\embedded\tomcat\conf\server.xml
C:\Program Files\CA\Service Catalog\view\conf\server.xml

Below indicates that the connector is commented out.

 <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" xpoweredBy="false" allowTrace="false"></Connector> -->


If AJP Connector cannot be disabled and needs to be used (example: Catalog Cluster configuration), you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example (YOUR_TOMCAT_AJP_SECRET is your password)

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET"

 

Save the file and restart appropriate product for the change to be effective

Powered by Wolken Software