Process Automation- Apache Tomcat AJP File Inclusion Vulnerability
Article ID: 218613
Updated On:
Products
Issue/Introduction
Vulnerability scan of Process Automation (ITPAM) servers reveals an 'Apache Tomcat AJP File Inclusion Vulnerability'.
Environment
CA Process Automation 4.x
Resolution
For PAM 4.3.X
When Process Automation (ITPAM) is installed, all JBOSS files are installed.
ITPAM does not need the "jbossweb.sar" folder.
To fix the reported vulnerability issue, please follow the below steps.
1. Locate and backup the <ITPAM installation location>\PAM\server\c2o\deploy\jbossweb.sar\server.xml file
2. Edit the file with a text editor to comment the "AJP 1.3 Connector" tag.
For example, comment the following section
<!--Connector port="${tomcat.connector.ajp.port}" address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" redirectPort="${tomcat.secure.port}" protocol="AJP/1.3" useBodyEncodingForURI="true" maxThreads="3000" backlog="20000" connectionTimeout="120000" keepAliveTimeout="120000"/-->
3. Save changes and recycle the ITPAM service
For PAM 4.4
1. Locate and backup the <ITPAM installation location>\wildfly\standalone\configuration\standalone-full-ha.xml
2. Edit the file with a text editor to comment out the following 3 sections:
For example, comment on the following sections
<!-- <subsystem xmlns="urn:jboss:domain:modcluster:5.0"> <proxy name="default" advertise-socket="modcluster" listener="ajp"> <dynamic-load-provider> <load-metric type="cpu"/> </dynamic-load-provider> </proxy> </subsystem> --><!-- <ajp-listener name="ajp" socket-binding="ajp"/> --><!-- <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> -->
3. Save changes and recycle the ITPAM service
Feedback
