CVE-2020-1938 AJP connector vulnerability in Apache Tomcat

  • 7024499
  • 24-Mar-2020
  • 11-Mar-2021


ZENworks Reporting Server Appliance
ZENworks Configuration Management


CVE-2020-1938 shows up in vulnerability scans against the ZENworks Reporting Server Appliance, ZENworks Configuration Management


For ZRS:  This is fixed in the next Online Update Security patches for Appliances in the May 2020 cadence.  

For ZENworks Configuration Management 2020 Update 1:  This is fixed, see TID 7024523 - ZENworks 2020 Update 1 - information and list of fixes.

For 2017.x and 2020 versions of ZCM follow the steps in the workaround below. 


Disable the AJP connector - it is not used.
  • Stop ZENworks Services
  • Create a backup before editing the server.xml fileZRS Appliance Location
  • ZRS Appliance Location:  /opt/novell/zenworks-reporting/js/apache-tomcat/conf
  • ZCM Appliance Location: /vastorage/opt/novell/zenworks/share/tomcat/conf 
    • Remove (Remark) the following line
    • <!-- Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3"  redirectPort="8443"/>
    • Start the ZENworks Services


    Tomcat Vulnerability CVE-2020-1938

    Additional Information

    Other ZENworks product server.xml locations

            ZCM Windows Location:  %ZENWORKS_HOME%\share\tomcat\conf
            ZCM Linux Location: /opt/novell/zenworks/share/tomcat/conf
            ZCM Appliance Location: /vastorage/opt/novell/zenworks/share/tomcat/conf
            ZRS Appliance Location: /opt/novell/zenworks-reporting/js/apache-tomcat/conf
            ZSD Appliance Location: /opt/novell/servicedesk/server/conf