Last updated: 23/Mar/2020
KB#: 000016532
Summary
Apache Software Foundation has announced the critical vulnerability for Apache Tomcat as follows:
-
CVE-2020-1938 AJP Request Injection and potential Remote Code Execution
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.
The vulnerability exists in the following versions of Apache Tomcat:
Apache Tomcat 7.0.0 to 7.0.99
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 9.0.0.M1 to 9.0.30
For more detail, refer to an article by Apache Software Foundation:
Impact and Workaround
SVF
Version Affected:
Product | Version |
SVF Web Designer | 9.2 to 10.0 |
SVF Java Products | 9.0 to 10.0 |
Report Director Enterprise | 9.0 to 10.0 |
Universal Connect/X | 9.0 to 10.0 |
SPA | 10.x |
Workaround:
if AJP protocol is not used: Open "server.xml" in text editor and comment out "protocol="AJP/1.3"" connector and restart SVF services. "server.xml" can be found in <SVF installation folder>\apache-tomcat/conf.
If AJP protocol is used: Specify IP address (E.g. Loop-back IP address 127.0.0.1) to allow access from secure server only.
Dr. Sum
Version Affected:
Product | Version |
Dr. Sum Datalizer | 5.0 to 5.1 |
Dr. Sum EA Datalizer | 4.2 |
Workaround:
if AJP protocol is not used (default): Open "server.xml" in text editor and comment out "protocol="AJP/1.3"" connector and restart Datalizer Server services. "server.xml" can be found in following folders:
Version | Folder path | AJP port |
4.2 | <Installation folder>\tomcat\instances\sms\conf <Installation folder>\tomcat\instances\sps\conf |
8349 8109 8209 |
5.0 to 5.1 | <Installation folder>\tomcat\instances\sps\conf | 8109 |
If AJP protocol is used: Enable firewall to allow access to AJP port from Web server only.
MotionBoard
Version Affected:
Product | Version |
MotionBoard | 6.0 |
MotionBoard for Dr. Sum | 6.0 |
Workaround:
Enable firewall to allow access to AJP port from Web server only if AJP protocol is used.
Solution
We are planning to release newer versions or patches to address the vulnerability as follows:
Product | Version | Planned Release Date |
SVF Web Designer |
9.2 | June 2020 (SVF 9.2 Service Pack 9) |
10.x | Winter in 2020 (SVF 10.1) | |
SPA | 10.x | Summer in 2020 (SPA 10.4) |
Dr. Sum Datalizer |
4.x 5.x |
TBD |
MotionBoard |
1st June 2020 (MotionBoard 6.1) Patch release for 6.0 is TBD |
Comments
0 comments
Please sign in to leave a comment.