Environment
Open Enterprise Server 2018 Support Pack 1 (OES 2018 SP1)
Open Enterprise Server 2015 Support Pack 1 (OES 2015 SP1)
Open Enterprise Server 2015 Support Pack 1 (OES 2015 SP1)
Situation
The Apache JServ Protocol (AJP) has a vulnerabity that is described at https://nvd.nist.gov/vuln/detail/CVE-2020-1938.
On OES iManager and NetStorage use AJP.
iManager and NetStorage are configured to establish AJP connections over the loopback interface at TCP port 9009.
The novell-tomcat configuration does not make its AJP Connector listen at a particular address and hence it listens at all IP addresses at port 9009, which can expose OES to the vulnerability, if port 9009 is not blocked per firewall.
On OES iManager and NetStorage use AJP.
iManager and NetStorage are configured to establish AJP connections over the loopback interface at TCP port 9009.
The novell-tomcat configuration does not make its AJP Connector listen at a particular address and hence it listens at all IP addresses at port 9009, which can expose OES to the vulnerability, if port 9009 is not blocked per firewall.
Resolution
To avoid the vulnerability you can adjust the novell-tomcat configuration the following way to make its AJP Connector listen at the loopback interface only:
--- On OES 2018 SP1:
1) Edit /etc/opt/novell/tomcat/conf/server.xml with an ASCII text editor like "vi".
2) Search for the concerning Connector configuration:
<Connector port="9009"
connectionTimeout="20000"
redirectPort="443"
protocol="AJP/1.3" />
3) Insert the 'address="localhost"' configuration parameter:
<Connector port="9009"
address="localhost"
connectionTimeout="20000"
redirectPort="443"
protocol="AJP/1.3" />
4) Safe your change, exit the editor and restart novell-tomcat:
# systemctl restart novell-tomcat
-------------------------------------------------------------------------------------
--- On OES 2015 SP1:
1) Edit /var/opt/novell/tomcat6/conf/server.xml with an ASCII text editor like "vi".
2) Search for the concerning Connector configuration:
<Connector port="9009"
enableLookups="false" redirectPort="443" debug="0"
URIEncoding="UTF-8" protocol="AJP/1.3" />
3) Insert the 'address="localhost"' configuration parameter:
<Connector port="9009"
address="localhost"
enableLookups="false" redirectPort="443" debug="0"
URIEncoding="UTF-8" protocol="AJP/1.3" />
4) Safe your change, exit the editor and restart novell-tomcat:
# rcnovell-tomcat6 restart
--- On OES 2018 SP1:
1) Edit /etc/opt/novell/tomcat/conf/server.xml with an ASCII text editor like "vi".
2) Search for the concerning Connector configuration:
<Connector port="9009"
connectionTimeout="20000"
redirectPort="443"
protocol="AJP/1.3" />
3) Insert the 'address="localhost"' configuration parameter:
<Connector port="9009"
address="localhost"
connectionTimeout="20000"
redirectPort="443"
protocol="AJP/1.3" />
4) Safe your change, exit the editor and restart novell-tomcat:
# systemctl restart novell-tomcat
-------------------------------------------------------------------------------------
--- On OES 2015 SP1:
1) Edit /var/opt/novell/tomcat6/conf/server.xml with an ASCII text editor like "vi".
2) Search for the concerning Connector configuration:
<Connector port="9009"
enableLookups="false" redirectPort="443" debug="0"
URIEncoding="UTF-8" protocol="AJP/1.3" />
3) Insert the 'address="localhost"' configuration parameter:
<Connector port="9009"
address="localhost"
enableLookups="false" redirectPort="443" debug="0"
URIEncoding="UTF-8" protocol="AJP/1.3" />
4) Safe your change, exit the editor and restart novell-tomcat:
# rcnovell-tomcat6 restart