iManager 3.2.1 possibly affected by Tomcat vulnerability (CVE-2020-1938)

  • 7024475
  • 04-Mar-2020
  • 05-Mar-2020

Environment

iManager 3.2.1

Situation

Micro Focus has been made aware of this potential vulnerability and is currently investigating its impact.


Resolution

This vulnerability concerns the configuration of  Tomcat's JServ Protocol in standalone iManager instances.

The following modifications can be implemented in Tomcat's configuration to workaround this potential issue.

1. Edit the /etc/opt/novell/tomcat9/server.xml file and rem out the default AJP redirect.  Below is an example - the server's port may vary:

<!-- Connector port="9009" enableLookups="false" protocol="AJP/1.3"
redirectPort="8443" / -->

2. After modifying this restart Tomcat.  A netstat will show Tomcat no longer listening on the AJP port.