A high severity security vulnerabilty https://nvd.nist.gov/vuln/detail/CVE-2020-1938 was published on February 24, 2020.
The CVE effects of a large number of versions of Tomcat, a Java web server that is:
- included in TIBCO JasperReporrts® Server bundled installers for Windows, Mac and Linux
- included in JasperReporrts® Server AWS AMIs on the AWS Marketplace ie. https://aws.amazon.com/marketplace/pp/B01BUD6H48
- frequently used in JasperReporrts® Server manual deployments
- Included in Docker images: https://hub.docker.com/search?q=jasperreports&type=image
The exposure is in Tomcat's Apache JServ Protocol (AJP) connector, which is turned on by default. AJP is used as a high performance integration between the Apache Web Server and Tomcat.
Simplest Solution: Disable AJP
The simplest solution is to disable the AJP connector in Tomcat. JasperReports® Server does not require AJP connections.
Comment out or delete the following line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Solution 2: Restrict AJP access. Optional Tomcat upgrade
If you require AJP because of the Apache Web Server integration, lock down the AJP connector.
Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later change the default openness of the AJP connector, but may require additional configuration.
Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of Tomcat's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.