Workload Automation DE WebServices: Mitigating Apache Tomcat JServ Protocol CVE-2020-1938 "Ghostcat" Critical vulnerability


Article ID: 194475


Updated On:


CA Workload Automation DE - Scheduler (dSeries) CA Workload Automation DE CA Workload Automation DE - System Agent (dSeries) CA Workload Automation AE - Business Agents (AutoSys)


The 'Ghostcat' vulnerability which is tracked as CVE-2020-1938, is a flaw that could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload.


Apache JServ Protocol (AJP) protocol is basically an optimized version of the HTTP protocol to allow Tomcat to communicate with an Apache web-server. The AJP protocol comes enabled by default and listens at TCP port 8009, it is bound to IP address and can only be exploited remotely when accessible to untrusted clients.

All the versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released have been found vulnerable and fixed as per following table.


Affected Apache Version

Fixed version

Apache Tomcat 9.0.30 and below


Apache Tomcat 8.5.50 and below


Apache Tomcat 7.0.99 and below


Following versions of Workload automation DE (dSeries) SOAP web service component are impacted due to above vulnerability since the product embeds a vulnerable version of tomcat.

r12.0 SP2
r12.0 SP1
r11.3 SP3

r11.3 SP2
r11.3 SP1
r11.3 0000



CA Workload Automation DE (dSeries) SOAP Web Services



To prevent the vulnerability, perform the following steps.  

1.  Stop the Web Services.

2.  Locate the server.xml. The server.xml is located in <install_directory>/apache-tomcat/conf.

E.g. (following are example, the actual location may be different).

In Linux


in Windows:

C:\Program Files\CA\WAWebServices_R12_2\apache-tomcat\conf\server.xml

3.  Edit the server.xml.  Open the file in text editor and search for the following line:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

4. Comment the line like this:


<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


5. Save the server.xml and start the Web Services.