Apache Tomcat HTTP Request Smuggling(CVE-2020-1935) on DM / CCC Modules
Release : 2.94
Component : CA CAPACITY MANAGER .
Recent Vulnerability on CA capacity Management DM/CCC module TOmcat "Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)"
" Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
HTTP Request Smuggling vulnerability exists if Apache Tomcat is located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner.
Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
Exploitation of the vulnerability could lead to HTTP request smuggling.
Upgrade CCC 2.94 Apache Tomcat to 8.5.51
Apache released a patch for Tomcat to address several vulnerabilities arising from recent internet attacks. Upgrade your CCC 2.9.4 Apache Tomcat installation by following these steps:
Follow the instructions that correspond to your operating system.
Go to <ccc-install-folder>\ApacheTomcat\conf and open the server.xml file. Search for "AJP/1.3" and comment the Connector tag as follows:
Go to <ccc-install-folder>\ApacheTomcat\conf and open the web.xml file. Search for "JspServlet". Edit the file by adding an <init-param> tag as follows:
Check the permissions provided to the Apache Tomcat folder and provide full control to the current logged-in user as below :
To create the Apache Tomcat 8.5 service, open a command prompt, navigate to <ccc-install-folder>\ApacheTomcat\bin and execute the following commands:
Note: Replace <initial memory> with the initial memory value captured in step 2. Replace <max memory> with the maximum memory pool value captured in step 2.
Go to installed directory <ccc-install-folder>/ and check the permissions provided to the Apache Tomcat folder, the folder should have full permissions to read/write.
Start the Apache Tomcat 8.5 service and run the application.