Apache Tomcat HTTP Request Smuggling(CVE-2020-1935) on DM/CCC Module
search cancel

Apache Tomcat HTTP Request Smuggling(CVE-2020-1935) on DM/CCC Module

book

Article ID: 199905

calendar_today

Updated On:

Products

CA Capacity Manager

Issue/Introduction

Apache Tomcat HTTP Request Smuggling(CVE-2020-1935) on DM / CCC Modules

Environment

Release : 2.94

Component : CA CAPACITY MANAGER .

Cause

Recent Vulnerability on CA capacity Management DM/CCC module TOmcat "Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)"

" Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation. 

HTTP Request Smuggling vulnerability exists if Apache Tomcat is located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. 

 Affected Versions: 
Apache Tomcat 9.0.0.M1 to 9.0.30 
Apache Tomcat 8.5.0 to 8.5.50 
Apache Tomcat 7.0.0 to 7.0.99 

Exploitation of the vulnerability could lead to HTTP request smuggling.

Resolution

Upgrade CCC 2.94 Apache Tomcat to 8.5.51

Apache released a patch for Tomcat to address several vulnerabilities arising from recent internet attacks. Upgrade your CCC 2.9.4 Apache Tomcat installation by following these steps:

  1. Download the latest Apache Tomcat patch using the following links:

  2. Extract the zip/tar file. The folder structure should look as follows:


 

Follow the instructions that correspond to your operating system.

 

Upgrade Instructions for CCC 2.9.4 on Windows

    1. Stop the existing Apache Tomcat service.
    2. Capture your current Apache Tomcat 7.0 CA_CCC service settings to reuse them after the upgrade:
      1. Open a command prompt and navigate to <ccc-install-folder>\ApacheTomcat\bin
      2. Execute the command: tomcat7w.exe //ES//CA_CCC
      3. Make a note of the 'Initial memory pool' and ' Maximum memory pool' settings.

    3. Delete the existing Apache Tomcat 7.0 CA_CCC service:
      1. Open a command prompt and navigate to <ccc-install-folder>\ApacheTomcat\bin
      2. Execute the command: service.bat uninstall CA_CCC

      3. Refresh services and close the command prompt.
    4. Rename the ApacheTomcat folder from <ccc-install-folder>\ApacheTomcat to <ccc-install-folder>\ApacheTomcat_Backup.
    5. Copy the extracted apache-tomcat-8.5.51 folder and paste it into the <ccc-install-folder>.
    6. Rename the apache-tomcat-8.5.51 folder in <ccc-install-folder> to ApacheTomcat.
    7. Delete the conf and webapps subfolders from <ccc-install-folder>\ApacheTomcat.
    8. Copy the conf and webapps folders from <ccc-install-folder>\ApacheTomcat_Backup and paste them into <ccc-install-folder>\ApacheTomcat.
    9. Copy the ccc.properties file from <ccc-install-folder> and paste it into <ccc-install-folder>\ApacheTomcat\webapps\ccc\WEB-INF\classes, replacing the ccc.properties file that is already present in this folder.

    10. Go to <ccc-install-folder>\ApacheTomcat\conf and open the server.xml file. Search for "JasperListener" and comment the Listener tag as follows:

Go to <ccc-install-folder>\ApacheTomcat\conf and open the server.xml file. Search for "AJP/1.3" and comment the Connector tag as follows:

Go to <ccc-install-folder>\ApacheTomcat\conf and open the web.xml file. Search for "JspServlet". Edit the file by adding an <init-param> tag as follows:


Check the permissions provided to the Apache Tomcat folder and provide full control to the current logged-in user as below :

  • Go to installed directory <ccc-install-folder>\
  • Right click on Apache Tomcat folder to see the properties as below

  • Edit the permissions by selecting current logged-in user, click on edit and check the permissions, the permission applied should be full control as shown in below image:

 

To create the Apache Tomcat 8.5 service, open a command prompt, navigate to <ccc-install-folder>\ApacheTomcat\bin and execute the following commands:

            Note: Replace <initial memory> with the initial memory value captured in step 2. Replace <max memory> with the maximum memory pool value captured in step 2.
           

  1. Refresh services.
  2. Start the Apache Tomcat 8.5 service and run the application.

 

Upgrade Instructions for CCC 2.9.4 on Linux

  1. Stop the existing Apache Tomcat service.
  2. Rename the ApacheTomcat folder from <ccc-install-folder>/ApacheTomcat to <ccc-install-folder>/ApacheTomcat_Backup.
  3. Copy the extracted apache-tomcat-8.5.51 folder and paste it into the <ccc-install-folder>.
  4. Rename the apache-tomcat-8.5.51 folder in <ccc-install-folder> to ApacheTomcat.
  5. Delete the conf and webapps subfolders from <ccc-install-folder>/ApacheTomcat.
  6. Copy the conf and webapps folders from <ccc-install-folder>/ApacheTomcat_Backup and paste them into <ccc-install-folder>/ApacheTomcat.
  7. Copy the ccc.properties file from <ccc-install-folder> and paste it into <ccc-install-folder>/ApacheTomcat/webapps/ccc/WEB-INF/classes, replacing the ccc.properties file that is already present in this directory.
  8. To capture the existing Apache Tomcat 7.0 settings, copy the setenv.sh file from the <ccc-install-folder>/ApacheTomcat_Backup/bin directory to <ccc-install-folder>/ApacheTomcat/bin.
  9. Go to <ccc-install-folder>/ApacheTomcat/conf and open the server.xml file. Search for "JasperListener" and comment the Listener tag as follows:
  11. Go to <ccc-install-folder>\ApacheTomcat\conf and open the server.xml file. Search for "AJP/1.3" and comment the Connector tag as follows:
  1. Go to <ccc-install-folder>/ApacheTomcat/conf and open the web.xml file. Search for "JspServlet". Edit the file by adding an <init-param> tag as follows:

 

Go to installed directory <ccc-install-folder>/ and check the permissions provided to the Apache Tomcat folder, the folder should have full permissions to read/write.

Start the Apache Tomcat 8.5 service and run the application.

Attachments

Powered by Wolken Software