Apache Tomcat Vulnerability (CVE-2020-1938)

Apache Software Foundation has announced the critical vulnerability for Apache Tomcat as follows:

• CVE-2020-1938 AJP Request Injection and potential Remote Code Execution
  When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.

 The vulnerability exists in the following versions of Apache Tomcat:

　Apache Tomcat 7.0.0 to 7.0.99
　Apache Tomcat 8.5.0 to 8.5.50
　Apache Tomcat 9.0.0.M1 to 9.0.30

For more detail, refer to an article by Apache Software Foundation:

Impact and Workaround

SVF

Version Affected:

Workaround:

if AJP protocol is not used:  Open "server.xml" in text editor and comment out "protocol="AJP/1.3"" connector and restart SVF services. "server.xml" can be found in <SVF installation folder>\apache-tomcat/conf. 

If AJP protocol is used: Specify IP address (E.g. Loop-back IP address 127.0.0.1) to allow access from secure server only.
 

Dr. Sum

Version Affected:

Workaround:

if AJP protocol is not used (default):  Open "server.xml" in text editor and comment out "protocol="AJP/1.3"" connector and restart Datalizer Server services. "server.xml" can be found in following folders:

 If AJP protocol is used: Enable firewall to allow access to AJP port from Web server only.

MotionBoard

Version Affected:

Workaround:

 Enable firewall to allow access to AJP port from Web server only if AJP protocol is used.

Solution

We are planning to release newer versions or patches to address the vulnerability as follows: