search cancel

Apache Tomcat - Remote code execution | Ghostcat


Article ID: 190187


Updated On:


CA Service Operations Insight (SOI)


Is CA SOI 4.2 affected by the tomcat vulnerability CVE-2020-1938 (aka Ghostcat)?

If CA SOI 4.2 is affected by this vulnerability, how can this be mitigated?




Release : 4.2

Component : Service Operations Insight (SOI) Manager


SOI 4.2 is using Tomcat 7.0.90



Below is the recommendation for the Ghostcat vulnerability mitigation in SOI 4.2:

We can disable the AJP Connector directly, or change its listening address to the localhost to fix this Ghostcat vulnerability.


(1) Edit \SOI\tomcat\conf\server.xml,find the following line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

(2) Comment it out (or just delete it):

<!--  <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

(3) Save the edit, and then restart Tomcat.


You will need to comment out the same line for the UI in \soi\samui\conf\server.xml

Please note that with SOI 4.2 CU3, this line has already been commented out.

Request to please perform the above steps in the customer environment and confirm if this resolves the reported vulnerability.

For more details please follow the URL below.

Additional Information

Ghostcat in CABI



SOI 4.2 CU2 is now using Apache Tomcat Version 9.0.45