ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CDD 6.5 - 57 Security vulnerability of the Apache Tomcat version 8.5.15 that is bundled in CDD ("CVE-2020–1938, GhostCat")

book

Article ID: 186570

calendar_today

Updated On:

Products

Continuous Delivery Director

Issue/Introduction

We are still using Continuous Delivery Director 6.5 - 57 to promote application from Dev to Test to Pilot to Prod on several areas. 

  1. We noticed that Apache Tomcat version 8.5.15 bundled in CDD has critical vulnerability "CVE-2020–1938, GhostCat" causing AJP Request Injection and potential Remote Code Execution. So the vulnerability apply only to AJP.  Is AJP used in the bundled Tomcat installation
  2. Can we disable AJP without causing trouble into the tool usage? Or do you have any other instructions how to mitigate the problem?

 

Environment

Release : 6.5

Component : CONTINUOUS DELIVERY DIRECTOR

Resolution

Please find answers to your questions

1: Continuous Delivery Director (CDD) is not bundled to a specific Tomcat release. We do recommend to use the latest stable Tomcat 8.5 server.

We would recommend to backup your application and deploy the latest tomcat 8.5 release - https://tomcat.apache.org/download-80.cgi#8.5.51
Note: This is an outdated CDD release, we have not certified this tomcat version with that version of CDD.

CDD has released several newer releases since 6.5 was out. We currently have CDD 7.2 which will be available to our customers very soon - you can read more about this release here: https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/automic-continuous-delivery-director-onprem/7-2/release-notes.html 


2: CDD is not using or relying on Tomcat AJP Connector. From CDD perspective, you may disable the AJP connector or simply follow the remediation steps for CVE-2020-1938.

Recommendation: Upgrade Tomcat server to 8.5.5.1. However, applying recommendation, depends on your current scenarios.

Additional Information

  • AJP Connector : The AJP Connector is a Tomcat component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache HTTP server installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing.
  • Disabling/Restricting AJP connector access:

1: Edit <CATALINA_BASE>/conf/server.xml,find the following line (<CATALINA_BASE> is the Tomcat work directory):

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

2: Comment out it (or just delete it):

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

3: Save the edit, and then restart Tomcat.

OR

In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.