ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

AJP port Vulnerability stand alone installations

book

Article ID: 187807

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We have found the following patches for VAPP environments to remediate the AJP File Read/Inclusion in Apache Tomcat (CVE-2020-1938) and Undertow (CVE-2020-1745) 

https://support.broadcom.com/download-center/solution-detail.html?aparNo=SS12467&os=ANY

Is there a similar patch for stand alone non-VAPP deployments?

Environment

Release : 14.1, 14.2 14.3

Component : IdentityMinder(Identity Manager)

Resolution

This issue is within the Application server and should be discussed with your Application Server Administrator.   There are updates that can be applied to prevent this exploit.    We provide patches for the VAPP Virtual environments as the permissions do not allow access to make the required modifications to the embedded Wildfly instance. 
 
Red Hat documentation for these vulnerabilities can be found in
https://access.redhat.com/security/cve/cve-2020-1745
and
https://access.redhat.com/security/cve/cve-2020-1938
with the solution published under
https://access.redhat.com/solutions/4851251
 
The recommendation is to apply the relevant patches which address the vulnerability on the application server level, without requiring any manual changes to the standalone XML file.
Disabling AJP all together would require further changes to the modcluster subsystem configuration (which is utilizing AJP by default) and therefore requires further adjustments. This will also eliminate the possibility of any future upgrade overwriting such manual changes.

Additional Information

Identity Manager by itself does not utilize AJP port connections and out of the box will not be impacted, but there are scenarios where the AJP port is in use.  Some of those include using a proxy in front of Identity Manager:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-manager/14-3/configuring/ca-single-sign-on-integration/integrate-ca-single-sign-on-with-ca-identity-manager/install-the-web-proxy-server-plug-in/install-the-proxy-plug-in-for-jboss.html

And environments which are protected by Siteminder using the Web Agent, see:
https://knowledge.broadcom.com/external/article/53831
 
As stated above, standalone.xml utilizes AJP for its modcluster subsystem, even if not used directly by Identity Manager

We strongly recommend testing any changes outside of Production to ensure no impact prior to blocking the AJP communications in your live environments.

Attachments