Our internal 3rd Party Vulnerability team detected a vulnerability in Tomcat on the OM Web Viewer Servers. Please provide information to remediate this issue or guidance on the remediation.

The threat indicates that Apache Tomcat fixed a vulnerability that allows an attacker to read any webapps files. If the Tomcat instance support file uploads, the vulnerability could also be leveraged to achieve remote code execution. Also known as 'Ghostcat'.

Affected versions are:

Apache Tomcat 9.0.0 through 9.0.30

Apache Tomcat 8.5.0 through 8.5.50

Apache Tomcat 7.0.0 through 7.0.99

QID Detection Logic (Unauthenticated)

The QID sends an AFP payload with respect to web.xml file. Note: Tomcat version 8.0.x are found affected by this during investigation.

Remediation Notes: Updated versions of Apache Tomcat are available that fix these vulnerabilities. Workaround is to temporarily disable the AJP protocol port.

There are already patches available on https://tomcat.apache.org/

Release : 12.1

Component : OUTPUT MANAGEMENT WEB VIEWER FOR ALL PLATFORMS

 

Workaround 

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--                                        <==start comment
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->                                         <==end comment

Sustaining Engineering is working on the Tomcat 9.0.54 resolution.