A high severity security vulnerabilty https://nvd.nist.gov/vuln/detail/CVE-2020-1938 was published on February 24, 2020.
The CVE effects of a large number of versions of Tomcat, a Java web server that is:
- included in TIBCO JasperReporrts® Server bundled installers for Windows, Mac and Linux
- included in JasperReporrts® Server AWS AMIs on the AWS Marketplace ie. https://aws.amazon.com/marketplace/pp/B01BUD6H48
- frequently used in JasperReporrts® Server manual deployments
- Included in Docker images: https://hub.docker.com/search?q=jasperreports&type=image
The exposure is in Tomcat's Apache JServ Protocol (AJP) connector, which is turned on by default. AJP is used as a high performance integration between the Apache Web Server and Tomcat.
The issue on Tomcat's JIRA: https://issues.apache.org/jira/browse/OFBIZ-11407?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
Simplest Solution: Disable AJP
The simplest solution is to disable the AJP connector in Tomcat. JasperReports® Server does not require AJP connections.
Edit <tomcat>/conf/server.xml
Comment out or delete the following line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Solution 2: Restrict AJP access. Optional Tomcat upgrade
If you require AJP because of the Apache Web Server integration, lock down the AJP connector.
Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later change the default openness of the AJP connector, but may require additional configuration.
From https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of Tomcat's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now