ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Impact of Ghostcat (CVE-2020-1938) with Service Management r17.x
Article ID: 186049
Updated On:
Products
CA Service Desk Manager
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
KNOWLEDGE TOOLS
CA Service Desk Manager - Mobile Application
CA Service Desk Manager - Xtraction
CA Service Catalog
CA IT Asset Manager
CA IT Asset Manager Asset Portfolio Management
Issue/Introduction
Do Service Desk Manager/Service Catalog/IT Asset Manager get impacted by Ghostcat vulnerability (CVE-2020-1938) https://www.cisecurity.org/advisory/a-vulnerability-in-apache-tomcat-could-allow-for-arbitrary-file-reading-cve-2020-1938_2020-028/
Cause
Environment
Release : 17.x
Component : SERVICE DESK MANAGER
Resolution
We do not depend on AJP protocol out of the box in Service Desk Manager. Service Catalog's might be used when its made part of out of the box cluster configuration.
AJP connector can be disabled so that the exposure of this vulnerability does not happen.
Commenting of the AJP connector can be done like indicated in below example on any Tomcat's server.xml files.
Below indicates that the connector is commented out.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" xpoweredBy="false" allowTrace="false"></Connector> -->
If AJP Connector cannot be disabled and needs to be used (example: Catalog Cluster configuration), you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example (YOUR_TOMCAT_AJP_SECRET is your password)
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET"
Save the file and restart appropriate product for the change to be effective
AJP connector can be disabled so that the exposure of this vulnerability does not happen.
Commenting of the AJP connector can be done like indicated in below example on any Tomcat's server.xml files.
Below indicates that the connector is commented out.
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" xpoweredBy="false" allowTrace="false"></Connector> -->
If AJP Connector cannot be disabled and needs to be used (example: Catalog Cluster configuration), you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example (YOUR_TOMCAT_AJP_SECRET is your password)
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET"
Save the file and restart appropriate product for the change to be effective
Additional Information
Out of the box, NX_ROOT/bopcfg/CATALINA_BASE CATALINA_BASE_FS CATALINA_BASE_REST CATALINA_BASE_SA CATALINA_BASE_VIZ are the main Tomcat engines that SDM offers.
Feedback
Yes
No
Powered by
