Vulnerability CVE-2020-1938 reported against Tomcat / TomEE version shipped with AXA 17.3

book

Article ID: 195151

calendar_today

Updated On:

Products

CA App Experience Analytics

Issue/Introduction

The Tomcat version installed with AXA 17.3 is reported as containing vulnerability CVE-2020-1938 - how can we address this?

Environment

Release : 10.7.0

Component : APM Agents

Resolution

The CVE is a false positive and there is a workaround to mitigate this as it is related to a feature that is not use in AXA. 


As per the vulnerability description below:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

The TomEE/Tomcat servers  are vulnerable only when the Apache JServ Protocol (AJP) is enabled. By default AJP connector is enabled on the specific TomEE/Tomcat installations. And it is recommended that the connector should be disabled if not required. 
For AXA deployments the AJP Connector is not required and can be disabled. This will fix the vulnerability. This has been verified by disabling the AJP connector and no issues were found.


Steps to disable AJP Connector:

1. Login to the host on which AXA is installed and go to the AXA installation directory.
 cd /opt/ca/aoPlatform

2. Switch to non-root user
 su <non-root axausername>

3. Edit the server configuration file
      vi apache-tomee-plus-1.7.1/conf/server.xml

4. Comment the section where AJP Connector is enabled and save the file
 <!-- <Connector port="9009" protocol="AJP/1.3" redirectPort="8443" server=" “/> —>

5. Restart only the server.
    ./bin/stopServices.sh -s
  ./bin/startServices.sh -s
////