How to solve Apache Tomcat Ghostcat vulnerability (CVE-2020-1938)
Client Automation - 14 SP2 and SP3
Ghostcat vulnerability can happen only when tomcat uses AJP connectors, based on:
https://www.chaitin.cn/en/ghostcat
-----
Under what circumstances can Tomcat be exploited ?
If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability. It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.
-----
From Client Automation perspective, we have below components using Tomcat:
- Web Admin Console (WAC): 8.5.6 version
- Extended Network Connectivity (ENC): 8.5.6 version
- Content Import Client (CIC): 8.5.6 version
To check versions:
set JAVA_HOME=C:\Program Files (x86)\CA\SC\JRE\1.8.0_92
cd \Program Files (x86)\CA\SC\Tomcat\8.5.6\bin
version.bat
cd \Program Files (x86)\CA\SC\CIC\Tomcat\bin
version.bat
It should show -> Server version: Apache Tomcat/8.5.6
Following versions are being impacted by this vulnerability, as per the information from this link ( https://www.secpod.com/blog/ghostcat-vulnerability-cve-2020-1938/ ):
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
Based on above information, only CIC component in Client Automation is having an impact of this vulnerability, for which Engineering team is planning to upgrade Tomcat version in a future release, but for now as a workaround solution to remediate this, you can comment the below entry in server.xml (..SC\CIC\Tomcat\conf\ server.xml):
AJP protocol related attribute is causing the vulnerability
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />