We are using Nolio Release Automation to release/promote applications from Dev to Test to Pilot to Prod. 

1. We noticed that Apache Tomcat version 8.0.33 bundled in Nolio Release Automation is impacted by critical vulnerability "CVE-2020–1938, GhostCat" as described here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
2. Is AJP used in the bundled Tomcat installation?
3. Can we disable AJP without causing trouble in Nolio Release Automation? Or do you have any other instructions how to mitigate the problem?

Release Automation 6.6+

Let's start by going through the three points observed above:

1. Yes. More information about the versions of Tomcat/JRE used by Nolio Release Automation Management (NAC) and Execution (NES) servers then go to the "Additional Information" section below. 
2. No. Nolio Release Automation does not use the AJP port. 
3. Yes. The AJP Port can/should be disabled on Nolio Release Automation Management and Execution servers. For information on how to do this please see the "Resolution" section below. 
   

The Tomcat Security Considerations document (can be found in the "Additional Information" section below) recommends removing any connector that is not used.

To apply commenting/removal of this AJP Port connector:

1. Stopping the Mgmt (or NES) server service.
2. Edit the <NOLIO_HOME>/conf/server.xml, find the following line:
   <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
3. Comment out the connector port entry:
   <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
4. Save the file.
5. Restart Mgmt (or NES) server service.

Additional Tomcat Security Considerations can be found here: https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html


Nolio Release Automation Tomcat/JRE Information:

Note: The version of tomcat/jre used by Nolio Release Automation can be confirmed by running the following from the command prompt after changing to the Install Folder directory: ./bin/version.sh|bat


Nolio RA v6.6:
Using CATALINA_BASE:   /opt/nolio/test/nac
Using CATALINA_HOME:   /opt/nolio/test/nac
Using CATALINA_TMPDIR: /opt/nolio/test/nac/temp
Using JRE_HOME:        ./jre
Using CLASSPATH:       /opt/nolio/test/nac/bin/bootstrap.jar:/opt/nolio/test/nac/bin/tomcat-juli.jar
Using CATALINA_PID:    ./catalina.pid
Server version: Apache Tomcat/8.0.33
Server built:   Mar 18 2016 20:31:49 UTC
Server number:  8.0.33.0
OS Name:        Linux
OS Version:     3.10.0-957.1.3.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_162-b12
JVM Vendor:     Oracle Corporation


Nolio RA v6.7:
Using CATALINA_BASE:   /opt/nolio/prod/nac
Using CATALINA_HOME:   /opt/nolio/prod/nac
Using CATALINA_TMPDIR: /opt/nolio/prod/nac/temp
Using JRE_HOME:        ./jre
Using CLASSPATH:       /opt/nolio/prod/nac/bin/bootstrap.jar:/opt/nolio/prod/nac/bin/tomcat-juli.jar
Using CATALINA_PID:    ./catalina.pid
Server version: Apache Tomcat/8.0.33
Server built:   Mar 18 2016 20:31:49 UTC
Server number:  8.0.33.0
OS Name:        Linux
OS Version:     3.10.0-957.12.2.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_232-b09
JVM Vendor:     AdoptOpenJDK

The below CARA version provides and upgraded Tomcat version

• RA 6.6.9(6.6.0b10385) : Tomcat version 9.0.41 (Refer release notes)
• RA 6.7.4 (6.7.0b505) : Tomcat version 9.0.41 (Refer release notes)
• RA 6.7.5( 6.7.0b570) : Tomcat version 9.0.54 (Refer release notes)