Workload Automation DE WebServices: Mitigating Apache Tomcat JServ Protocol CVE-2020-1938 "Ghostcat" Critical vulnerability

book

Article ID: 194475

calendar_today

Updated On:

Products

CA Workload Automation DE - Scheduler (dSeries) CA Workload Automation DE CA Workload Automation DE - System Agent (dSeries) CA Workload Automation AE - Business Agents (AutoSys)

Issue/Introduction

The 'Ghostcat' vulnerability which is tracked as CVE-2020-1938, is a flaw that could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload.

Cause

Apache JServ Protocol (AJP) protocol is basically an optimized version of the HTTP protocol to allow Tomcat to communicate with an Apache web-server. The AJP protocol comes enabled by default and listens at TCP port 8009, it is bound to IP address 0.0.0.0 and can only be exploited remotely when accessible to untrusted clients.

All the versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released have been found vulnerable and fixed as per following table.

 

Affected Apache Version

Fixed version

Apache Tomcat 9.0.30 and below

9.0.31

Apache Tomcat 8.5.50 and below

8.5.51

Apache Tomcat 7.0.99 and below

7.0.100

Following versions of Workload automation DE (dSeries) SOAP web service component are impacted due to above vulnerability since the product embeds a vulnerable version of tomcat.


r12.2
r12.1
r12.0 SP2
r12.0 SP1
r12.0
r11.3 SP3

r11.3 SP2
r11.3 SP1
r11.3 0000

 

Environment

CA Workload Automation DE (dSeries) SOAP Web Services

 

Resolution

To prevent the vulnerability, perform the following steps.  

1.  Stop the Web Services.

2.  Locate the server.xml. The server.xml is located in <install_directory>/apache-tomcat/conf.

E.g. (following are example, the actual location may be different).

In Linux

/opt/CA/WAWebServices_R12_2/apache-tomcat/conf/server.xml

in Windows:

C:\Program Files\CA\WAWebServices_R12_2\apache-tomcat\conf\server.xml

3.  Edit the server.xml.  Open the file in text editor and search for the following line:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

4. Comment the line like this:

<!-- 

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

 -->

5. Save the server.xml and start the Web Services.