AJP port Vulnerability stand alone installations
search cancel

AJP port Vulnerability stand alone installations


Article ID: 187807


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


We have found the following patches for VAPP environments to remediate the AJP File Read/Inclusion in Apache Tomcat (CVE-2020-1938) and Undertow (CVE-2020-1745) 


Is there a similar patch for stand alone non-VAPP deployments?


Release : 14.1, 14.2 14.3

Component : IdentityMinder(Identity Manager)


This issue is within the Application server and should be discussed with your Application Server Administrator.   There are updates that can be applied to prevent this exploit.    We provide patches for the VAPP Virtual environments as the permissions do not allow access to make the required modifications to the embedded Wildfly instance. 
Red Hat documentation for these vulnerabilities can be found in
with the solution published under
The recommendation is to apply the relevant patches which address the vulnerability on the application server level, without requiring any manual changes to the standalone XML file.
Disabling AJP all together would require further changes to the modcluster subsystem configuration (which is utilizing AJP by default) and therefore requires further adjustments. This will also eliminate the possibility of any future upgrade overwriting such manual changes.

Additional Information

Identity Manager by itself does not utilize AJP port connections and out of the box will not be impacted, but there are scenarios where the AJP port is in use.  Some of those include using a proxy in front of Identity Manager:

And environments which are protected by Siteminder using the Web Agent, see:
As stated above, standalone.xml utilizes AJP for its modcluster subsystem, even if not used directly by Identity Manager

We strongly recommend testing any changes outside of Production to ensure no impact prior to blocking the AJP communications in your live environments.