AJP vulnerabilities and Endevor Web Services

book

Article ID: 207780

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM)

Issue/Introduction

Installed Endevor web services using CCS Tomcat 9.0.35, Is there any AJP vulnerabilities ? 

 

Environment

Release : 18.1

Component : CA Endevor Software Change Manager

CCS Tomcat 9.0.35

Resolution

Review $Tomcat/conf/server.xml:

Tomcat is configured to use SSL protocol.

    <Connector port="10444" maxHttpHeaderSize="8192"
          maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
          enableLookups="false" disableUploadTimeout="true"
          SSLEnabled="true"
          algorithm="IbmX509"
          acceptCount="100" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS"
          sslEnabledProtocols="+TLSv1.2,+TLSv1.1,+TLSv1"
          keystoreType="JCERACFKS"
          keystoreFile="safkeyring://WSTOMSTC/WSTOMRing"
          sslImplementationName="com.ca.sslsocket.CASSLImplementation" />


Tomcat is not using AJP protocol (the AJP configuration has been comment out). 

    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               redirectPort="8443" />

    </Connector>
    -->

 

 There should be no AJP vulnerabilities if AJP protocol is not enabled in Tomcat. (the default protocol used in CCS Tomcat 9 is SSL).  

Additional Information

CVE-2020-1938 Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability