Fixing Tomcat CVE-2020-1938 for TIBCO JasperReporrts® Server

A high severity security vulnerabilty https://nvd.nist.gov/vuln/detail/CVE-2020-1938 was published on February 24, 2020.

The CVE effects of a large number of versions of Tomcat, a Java web server that is:

The exposure is in Tomcat's Apache JServ Protocol (AJP) connector, which is turned on by default. AJP is used as a high performance integration between the Apache Web Server and Tomcat.

The issue on Tomcat's JIRA: https://issues.apache.org/jira/browse/OFBIZ-11407?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel


Simplest Solution: Disable AJP

The simplest solution is to disable the AJP connector in Tomcat.  JasperReports® Server does not require AJP connections.

Edit <tomcat>/conf/server.xml

Comment out or delete the following line:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Solution 2: Restrict AJP access. Optional Tomcat upgrade

If you require AJP because of the Apache Web Server integration, lock down the AJP connector.

Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later change the default openness of the AJP connector, but may require additional configuration.

From https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html

Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of Tomcat's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.

Comments

Does this mean that Tomcat 8.5.51 is now supported?

No.
Versions of Tomcat after the indicated supported version documented in the Platform Support Guide for your JasperReports Server version have not been tested and certified, and are therefore not officially supported.

Later point release versions like Tomcat 8.5.51 are likely but not guaranteed to work.

I would like to enquire whether there is plan and schedule for any existing available JasperReport server, such as version 7.1, 7.2 and 7.5 or other versions, to be certified with Tomcat version 8.5.51 or 9.0.31 or higher, which address the security issue.
Thank you

Not for the back versions. You will need to update your existing Tomcat deployment to disable AJP as outlined in this page.

Jaspersoft regularly updates platform support for every new release, and Tomcat is always on the list.

I would like to enquire the schedule for the new release of JasperReport Server.

Thank you

Feedback
randomness