Is CA SOI 4.2 affected by the tomcat vulnerability CVE-2020-1938 (aka Ghostcat)?

If CA SOI 4.2 is affected by this vulnerability, how can this be mitigated?

Release : 4.2

Component : Service Operations Insight (SOI) Manager

SOI 4.2 is using Tomcat 7.0.90

Workaround:

Below is the recommendation for the Ghostcat vulnerability mitigation in SOI 4.2:

We can disable the AJP Connector directly, or change its listening address to the localhost to fix this Ghostcat vulnerability.

Steps:

(1) Edit \SOI\tomcat\conf\server.xml，find the following line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

(2) Comment it out (or just delete it):

<!--  <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

(3) Save the edit, and then restart Tomcat.

You will need to comment out the same line for the UI in \soi\samui\conf\server.xml

Please note that with SOI 4.2 CU3, this line has already been commented out.

Request to please perform the above steps in the customer environment and confirm if this resolves the reported vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2020-1938

Ghostcat in CABI

https://knowledge.broadcom.com/external/article/185860/

**

SOI 4.2 CU2 is now using Apache Tomcat Version 9.0.45