ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Spectrum Jasper 6.4.3 - Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)

book

Article ID: 200358

calendar_today

Updated On:

Products

CA Spectrum CA eHealth

Issue/Introduction

Jasper version: 6.4.3

Tomcat version:
--------------------
Server version: Apache Tomcat/8.5.24


Our internal security Team identified a Vulnerability on Jasper(Spectrum) Tomcat "Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)".


Title
------
Apache Tomcat HTTP Request Smuggling(CVE-2020-1935)

CVE ID
------
CVE-2020-1935

Threat
------
" Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation. 

HTTP Request Smuggling vulnerability exists if Apache Tomcat is located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. 

 Affected Versions: 
Apache Tomcat 9.0.0.M1 to 9.0.30 
Apache Tomcat 8.5.0 to 8.5.50 
Apache Tomcat 7.0.0 to 7.0.99 

QID Detection Logic: 
The QID  checks for vulnerable version by sending a  GET /QUALYS13812 HTTP/1.0 request which helps in retrieving the installed version of Apache Tomcat in the banner of the response."

Impact
------
Exploitation of the vulnerability could lead to HTTP request smuggling.


Cause

Jasper Version is 6.4.3

Tomcat version: Apache Tomcat/8.5.24

As per the scanner report, under vulnerable versions, Apache Tomcat 8.5.0 to 8.5.50 is listed

Environment

Release : 10.4

Jasper Version is 6.4.3

Tomcat version: Apache Tomcat/8.5.24

Component : OneClick Report Manager / Jaspersoft / CABI

Resolution

Step1:

Export the data

Import and export data in Jasper Reports Server

 

Step2:

Uninstall Jasper 

Uninstall CA Business Intelligence JasperReports Server

 

Step 3:

Install Jasper with custom Tomcat Version 

You can follow the steps given in below link

JasperServer GUI Installaion 

 

In Step 8 

choose custom install

if a different version of Apache Tomcat is required, select Custom Install. In subsequent steps, the location and/or connection information about one or both of these pre-installed components must be provided. If a custom install is preferred, select Custom Install, then click Next (skip to section Custom Installation below to continue).

 

Step4:

Import the Data

Import and export data in Jasper Reports Server