A most recent Qualys port scan has discovered new vulnerabilities in the 7.0.42 version of Tomcat that we run for CSM.
Here are the details of the vulnerability:
Impact-
The server could become unresponsive.
Solution-
Upgrade to the Apache Tomcat 10.0.0-M7, 9.0.37, 8.5.57 or to the latest version of Apache Tomcat. Please refer to <A HREF="http://tomcat.apache.org/index.html" TARGET="_blank">Apache Tomcat Website</A>.
Release : 6.0
Component : CCS TOMCAT, CSM TOMCAT
Checking the Qualys website and found :
https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was
Related to CSM, this application doesnt have AJP enabled..
CSM isnt affected by this..
Btw, there is a Tomcat upgrade ptf for CSM, it's called RO93077, Tomcat 7.0.72...
For the Tomcat server delivered with CCS..
There are 2 ptfs, depending on CCS release :
- ptf SO13166 : fmid CEG1E10 - tomzos 14.1 - Tomcat rel 9.0.35
- ptf SO13165 : fmid CFF6F00 - tomzos 15.0 - Tomcat rel 9.0.35
Here also, the Qualys vulnerability affects HTTP/2, and CCS Tomcat uses HTTP/1.1 in the default CCS Tomcat...
It's not possible to update the CSM Tomcat with the CCS Tomcat version..