Environment
Host Access for the Cloud (Reflection ZFE) 2.4.3 and earlier
Reflection for the Web 13.0 Hotfix 4 and earlier
Situation
Certain versions of the Apache Tomcat AJP Protocol could allow attackers to read webapp configuration and source information, and possibly upload malicious code that would be executed when AJP ports are enabled.
Any customer environment that has Host Access Management and Security Server (MSS) 12.6.3 or earlier is impacted and could be vulnerable to attack, regardless of whether IIS integration is used.
Resolution
This issue is resolved in a new product release of Host
Access Management and Security Server (MSS) 12.6 SP1, Host Access for the Cloud
2.5 and Reflection for the Web 13.1. In these new versions, the AJP ports listen on the localhost network interface
by default.
Product updates are available to maintained customers from the Downloads website.
For a workaround, see TID 7024548 for instructions on how to disable the AJP ports or change them to listen on localhost only.