Question: Can Tomcat bundled with AAI be upgraded independently due to Apache Tomcat WebSocket Denial of Service Vulnerability?
Release : 6.0.1
Component : AUTOMIC AUTOMATION INTELLIGENCE ENGINE
We are aware of the issue, and, even with the latest build, we cannot upgrade Apache Tomcat independently of upgrading the full Insight software as they are bundled together. Please review the following article on that: https://knowledge.broadcom.com/external/article?articleId=198187
A defect with Development was already raised to request a new Insight build with a later version of Tomcat to address this vulnerability.
The defect number is DE475584.
Please see reasons below:
1. Our Engineering teams are currently implementing additional security measures to help prevent the release of product vulnerabilities.
2. The upgrading of Jasper and Tomcat is planned and is scheduled to be released with our product before the end of this year and will undergo rigorous vulnerability testing with these new tools.
3. Regarding the specific vulnerability CVE-2020-1935 in Jasper, the external threat can be mitigated by not having the Jasper server open to the public.
As to how to explain / mitigate further; There are two vectors to consider when analyzing a threat:
The probability can be minimized by keeping the server inside of a closed network (which is likely the case already). We would rate the probability of attack as low since it would necessitate that any attack is generated from internal (thus compromised) systems or nefarious actors within the company.
The impact is to render the service inoperable due to a DDOS attack. This means that some of the reports (but not all) from the AAI product would be unavailable until the attack is neutralized. Generally, I would rate the impact as low to medium, depending on which (if any) reports are considered important to the business. Generally, the data available in the Jasper reports can be obtained in other ways in the event of an outage (thick client reports, direct database queries).