ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CCS and CSM Apache Tomcat and the CVE-2020-1938 vulnerability

book

Article ID: 186545

calendar_today

Updated On:

Products

COMMON SERVICES FOR Z/OS CHORUS SOFTWARE MANAGER

Issue/Introduction

Are CCS and CSM Apache Tomcat affected by the CVE-2020-1938 vulnerability? How can this be verified? 

 

Cause

Vulnerability concern

Environment

  • z/OS 2.x
  • CCS and CSM Apache Tomcat 

 

Resolution

Regarding your concern, I have confirmed with Common Services and Chorus Software Manager Level 2 that by default the AJP connector that is referenced in the CVE-2020-1938 vulnerability description is disabled in CCS and CSM Apache Tomcat.

This can be verified by viewing the Tomcat server XML file. In the file delivered with CCS Tomcat you will find the connector associated with AJP disabled (eg. commented out).

Additional Information

CVE-2020-1938 detail