Client Automation - How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)?
search cancel

Client Automation - How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)?

book

Article ID: 191417

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)

Environment

Client Automation - 14 SP2 and SP3

Cause

Ghostcat vulnerability can happen only when tomcat uses AJP connectors, based on:
 
https://www.chaitin.cn/en/ghostcat

-----
Under what circumstances can Tomcat be exploited ?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability. It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.
-----

Resolution

From Client Automation perspective, we have below components using Tomcat:

- Web Admin Console (WAC): 8.5.6 version
- Extended Network Connectivity (ENC): 8.5.6 version
- Content Import Client (CIC): 8.5.6 version

To check versions:

set JAVA_HOME=C:\Program Files (x86)\CA\SC\JRE\1.8.0_92

cd \Program Files (x86)\CA\SC\Tomcat\8.5.6\bin
version.bat

cd \Program Files (x86)\CA\SC\CIC\Tomcat\bin
version.bat

It should show -> Server version: Apache Tomcat/8.5.6

 
Following versions are being impacted by this vulnerability, as per the information from this link ( https://www.secpod.com/blog/ghostcat-vulnerability-cve-2020-1938/ ):

Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
 

Based on above information, only CIC component in Client Automation is having an impact of this vulnerability, for which Engineering team is planning to upgrade Tomcat version in a future release, but for now as a workaround solution to remediate this, you can comment the below entry in server.xml (..SC\CIC\Tomcat\conf\ server.xml):

AJP protocol related attribute is causing the vulnerability

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />