Vulnerability CVE-2020–1938 & Nolio Release Automation

book

Article ID: 188272

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

We are using Nolio Release Automation to release/promote applications from Dev to Test to Pilot to Prod. 

  1. We noticed that Apache Tomcat version 8.0.33 bundled in Nolio Release Automation is impacted by critical vulnerability "CVE-2020–1938, GhostCat" as described here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
  2. Is AJP used in the bundled Tomcat installation?
  3. Can we disable AJP without causing trouble in Nolio Release Automation? Or do you have any other instructions how to mitigate the problem?



Cause

Let's start by going through the three points observed above:

  1. Yes. More information about the versions of Tomcat/JRE used by Nolio Release Automation Management (NAC) and Execution (NES) servers then go to the "Additional Information" section below. 
  2. No. Nolio Release Automation does not use the AJP port. 
  3. Yes. The AJP Port can/should be disabled on Nolio Release Automation Management and Execution servers. For information on how to do this please see the "Resolution" section below. 

Environment

Release : 6.6+

Component : CA Release Automation Release Operations Center


Resolution

The Tomcat Security Considerations document (can be found in the "Additional Information" section below) recommends removing any connector that is not used.

To apply commenting/removal of this AJP Port connector:

  1. Stopping the Mgmt (or NES) server service.
  2. Edit the <NOLIO_HOME>/conf/server.xml, find the following line:
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  3. Comment out the connector port entry:
    <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
  4. Save the file.
  5. Restart Mgmt (or NES) server service.

Additional Information

Additional Tomcat Security Considerations can be found here: https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html



Nolio Release Automation Tomcat/JRE Information:


Note: The version of tomcat/jre used by Nolio Release Automation can be confirmed by running the following from the command prompt after changing to the Install Folder directory: ./bin/version.sh|bat


Nolio RA v6.6:
Using CATALINA_BASE:   /opt/nolio/test/nac
Using CATALINA_HOME:   /opt/nolio/test/nac
Using CATALINA_TMPDIR: /opt/nolio/test/nac/temp
Using JRE_HOME:        ./jre
Using CLASSPATH:       /opt/nolio/test/nac/bin/bootstrap.jar:/opt/nolio/test/nac/bin/tomcat-juli.jar
Using CATALINA_PID:    ./catalina.pid
Server version: Apache Tomcat/8.0.33
Server built:   Mar 18 2016 20:31:49 UTC
Server number:  8.0.33.0
OS Name:        Linux
OS Version:     3.10.0-957.1.3.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_162-b12
JVM Vendor:     Oracle Corporation


Nolio RA v6.7:
Using CATALINA_BASE:   /opt/nolio/prod/nac
Using CATALINA_HOME:   /opt/nolio/prod/nac
Using CATALINA_TMPDIR: /opt/nolio/prod/nac/temp
Using JRE_HOME:        ./jre
Using CLASSPATH:       /opt/nolio/prod/nac/bin/bootstrap.jar:/opt/nolio/prod/nac/bin/tomcat-juli.jar
Using CATALINA_PID:    ./catalina.pid
Server version: Apache Tomcat/8.0.33
Server built:   Mar 18 2016 20:31:49 UTC
Server number:  8.0.33.0
OS Name:        Linux
OS Version:     3.10.0-957.12.2.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_232-b09
JVM Vendor:     AdoptOpenJDK