Spectrum Tomcat Vulnerability: CVE-2020-1938

book

Article ID: 194773

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

This is a new vulnerability, published 24 Feb 2020. The impact is still "Undergoing Analysis". It is considered an unlikely scenario by NIST. Applies only to a specific deployment, behind a reverse proxy. 

An arbitrary file read vulnerability exists in Tomcat's Apache JServ Protocol (AJP) due to an implementation defect. A remote, unauthenticated attacker could exploit this to access files which, under normal conditions, would be restricted. If the Tomcat instance supports file uploads, the vulnerability could also be leveraged to achieve remote code execution. (CVE-2020-1938)

Environment

Release : 10.4.x

Component : Spectrum OneClick

Resolution

The Spectrum Tomcat service has had the AJP Connector disabled for all current supported GA versions so it will not be vulnerable.

The Spectrum Webtomcat service is a little different. If you are running the following versions then this connector will also be disabled and not vulnerable:

Spectrum 10.4.1 with the 10.04.01.BMP_10.4.101b patch installed.
Spectrum 10.4.2

If you are not running one of these two versions, you can manually disable the AJP Connector for the Webtomcat service by performing the following steps:

Open the <SPECROOT>/webtomcat/conf/server.xml file and comment out the following lines:


<!-- Define an AJP 1.3 Connector on port 8009 -->^M
    <Connector port="9444" protocol="AJP/1.3" redirectPort="8443" />


Restart the Webtomcat service for the changes to take effect.

The disabling of this connector will not affect any Spectrum functionality and will also ensure these services are no longer vulnerable.