Vulnerability CVE-2020-1938 reported against Tomcat / TomEE version shipped with AXA 17.3

Article Id: 195151

Status: Published

Updated On: 15-07-2020 07:51

Products:

CA App Experience Analytics

Issue/Introduction:

The Tomcat version installed with AXA 17.3 is reported as containing vulnerability CVE-2020-1938 - how can we address this?

Environment:

Release : 10.7.0

Component : APM Agents

Resolution:

The CVE is a false positive and there is a workaround to mitigate this as it is related to a feature that is not use in AXA.

As per the vulnerability description below:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

The TomEE/Tomcat servers are vulnerable only when the Apache JServ Protocol (AJP) is enabled. By default AJP connector is enabled on the specific TomEE/Tomcat installations. And it is recommended that the connector should be disabled if not required.
For AXA deployments the AJP Connector is not required and can be disabled. This will fix the vulnerability. This has been verified by disabling the AJP connector and no issues were found.

Steps to disable AJP Connector:

1. Login to the host on which AXA is installed and go to the AXA installation directory.
cd /opt/ca/aoPlatform

2. Switch to non-root user
su <non-root axausername>

3. Edit the server configuration file
vi apache-tomee-plus-1.7.1/conf/server.xml

4. Comment the section where AJP Connector is enabled and save the file
<!-- <Connector port="9009" protocol="AJP/1.3" redirectPort="8443" server=" “/> —>

5. Restart only the server.
./bin/stopServices.sh -s
./bin/startServices.sh -s
////