New vulnerability discovered in CSM Tomcat server

Article Id: 197118
Status: Published
Updated On: 26-08-2020 13:51
Products:
CA Mainframe Software Manager (Chorus Software Manager) , CA Chorus Software Manager , CA Common Services for z/OS
Issue/Introduction:

A most recent Qualys port scan has discovered new vulnerabilities in the 7.0.42 version of Tomcat that we run for CSM.  

Here are the details of the vulnerability:

 Impact-  
 The server could become unresponsive.

 Solution-
 Upgrade to the Apache Tomcat 10.0.0-M7, 9.0.37, 8.5.57 or to the latest version of Apache Tomcat. Please refer to <A HREF="http://tomcat.apache.org/index.html" TARGET="_blank">Apache Tomcat Website</A>.


Environment:

Release : 6.0

Component : CCS TOMCAT, CSM TOMCAT

Resolution:

Checking the Qualys website and found :

https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was

Related to CSM, this application doesnt have AJP enabled..
CSM isnt affected by this..

Btw, there is a Tomcat upgrade ptf for CSM, it's called RO93077, Tomcat 7.0.72...

For the Tomcat server delivered with CCS..
There are 2 ptfs, depending on CCS release :

- ptf SO13166 : fmid CEG1E10 - tomzos 14.1 - Tomcat rel 9.0.35
- ptf SO13165 : fmid CFF6F00  - tomzos 15.0 - Tomcat rel 9.0.35


Here also, the Qualys vulnerability affects HTTP/2, and CCS Tomcat uses HTTP/1.1 in the default CCS Tomcat...

It's not possible to update the CSM Tomcat with the CCS Tomcat version..