Apache Tomcat HTTP Request Smuggling(CVE-2020-1935) on DM / CCC Modules
Recent Vulnerability on CA capacity Management DM/CCC module TOmcat "Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)"
" Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
HTTP Request Smuggling vulnerability exists if Apache Tomcat is located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner.
Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
Exploitation of the vulnerability could lead to HTTP request smuggling.
Release : 2.94
Component : CA CAPACITY MANAGER .
Upgrade CCC 2.94 Apache Tomcat to 8.5.51
Apache released a patch for Tomcat to address several vulnerabilities arising from recent internet attacks. Upgrade your CCC 2.9.4 Apache Tomcat installation by following these steps:
Follow the instructions that correspond to your operating system.
Go to <ccc-install-folder>\ApacheTomcat\conf and open the server.xml file. Search for "AJP/1.3" and comment the Connector tag as follows:
Go to <ccc-install-folder>\ApacheTomcat\conf and open the web.xml file. Search for "JspServlet". Edit the file by adding an <init-param> tag as follows:
Check the permissions provided to the Apache Tomcat folder and provide full control to the current logged-in user as below :
To create the Apache Tomcat 8.5 service, open a command prompt, navigate to <ccc-install-folder>\ApacheTomcat\bin and execute the following commands:
Note: Replace <initial memory> with the initial memory value captured in step 2. Replace <max memory> with the maximum memory pool value captured in step 2.
Go to installed directory <ccc-install-folder>/ and check the permissions provided to the Apache Tomcat folder, the folder should have full permissions to read/write.
Start the Apache Tomcat 8.5 service and run the application.