Apache Tomcat Ghostcat vulnerability CVE-2020-1938

  • 7024547
  • 07-Apr-2020
  • 10-Apr-2020

Environment

Host Access Management and Security Server (MSS) 12.6.3 and earlier
Host Access for the Cloud (Reflection ZFE) 2.4.3 and earlier
Reflection for the Web 13.0 Hotfix 4 and earlier

Situation

Certain versions of the Apache Tomcat AJP Protocol could allow attackers to read webapp configuration and source information, and possibly upload malicious code that would be executed when AJP ports are enabled.

Any customer environment that has Host Access Management and Security Server (MSS) 12.6.3 or earlier is impacted and could be vulnerable to attack, regardless of whether IIS integration is used.

Resolution

This issue is resolved in a new product release of Host Access Management and Security Server (MSS) 12.6 SP1, Host Access for the Cloud 2.5 and Reflection for the Web 13.1. In these new versions, the AJP ports listen on the localhost network interface by default.

Product updates are available to maintained customers from the Downloads website.

For a workaround, see TID 7024548 for instructions on how to disable the AJP ports or change them to listen on localhost only.

Status

Security Alert

Additional Information

Feedback service temporarily unavailable. For content questions or problems, please contact Support.