Client Automation - How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)?
search cancel

Client Automation - How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)?


Article ID: 191417


Updated On:


CA Client Automation - IT Client Manager CA Client Automation


How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)


Client Automation - 14 SP2 and SP3


Ghostcat vulnerability can happen only when tomcat uses AJP connectors, based on:

Under what circumstances can Tomcat be exploited ?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability. It should be noted that Tomcat AJP Connector is enabled by default and listens at


From Client Automation perspective, we have below components using Tomcat:

- Web Admin Console (WAC): 8.5.6 version
- Extended Network Connectivity (ENC): 8.5.6 version
- Content Import Client (CIC): 8.5.6 version

To check versions:

set JAVA_HOME=C:\Program Files (x86)\CA\SC\JRE\1.8.0_92

cd \Program Files (x86)\CA\SC\Tomcat\8.5.6\bin

cd \Program Files (x86)\CA\SC\CIC\Tomcat\bin

It should show -> Server version: Apache Tomcat/8.5.6

Following versions are being impacted by this vulnerability, as per the information from this link ( ):

Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x

Based on above information, only CIC component in Client Automation is having an impact of this vulnerability, for which Engineering team is planning to upgrade Tomcat version in a future release, but for now as a workaround solution to remediate this, you can comment the below entry in server.xml (..SC\CIC\Tomcat\conf\ server.xml):

AJP protocol related attribute is causing the vulnerability

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />