CVE-2020-1938 AJP connector vulnerability in Apache Tomcat

  • Document ID:7024710
  • Creation Date:01-Jul-2020
  • Modified Date:01-Jul-2020
    • Micro Focus Products:
      Identity Governance (Access Review)

Environment

Identity Governance 3.5.0
Identity Governance 3.6.0
Identity Governance 3.6.1


Situation

CVE-2020-1938 shows up in vulnerability scans against the Identity Governance Tomcat Application Server


Resolution

Disable the AJP connector - it is not used.

Steps:

1) Stop Tomcat Services

2) Create a backup before editing the server.xml file in a directory outside of tomcat

*** Default location of the server.xml file: /opt/netiq/idm/apps/tomcat/conf ***

3) Open the server.xml in a text editior

4) Change the following line
from:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8543"/>

to:

<!-- Connector port="8009" protocol="AJP/1.3"  redirectPort="8543"/>

NOTE: The redirector port value could be different than the example above

5) Save the change and close the server.xml file

6) Start the Tomcat Services

 


Cause

Tomcat Vulnerability CVE-2020-1938