Jump to content
Changes to the Jaspersoft community edition download ×

  • Fixing Tomcat CVE-2020-1938 for TIBCO JasperReporrts® Server

    swood_1

    By swood_1

      • Features: JasperReports Server Version: v7, v6, v5, v4 Product: JasperReports® Server
     Share

    A high severity security vulnerabilty https://nvd.nist.gov/vuln/detail/CVE-2020-1938 was published on February 24, 2020.

    The CVE effects of a large number of versions of Tomcat, a Java web server that is:

    The exposure is in Tomcat's Apache JServ Protocol (AJP) connector, which is turned on by default. AJP is used as a high performance integration between the Apache Web Server and Tomcat.

    The issue on Tomcat's JIRA: https://issues.apache.org/jira/browse/OFBIZ-11407?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

    Simplest Solution: Disable AJP

    The simplest solution is to disable the AJP connector in Tomcat.  JasperReports® Server does not require AJP connections.

    Edit <tomcat>/conf/server.xml

    Comment out or delete the following line:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    Solution 2: Restrict AJP access. Optional Tomcat upgrade

    If you require AJP because of the Apache Web Server integration, lock down the AJP connector. 

    Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later change the default openness of the AJP connector, but may require additional configuration.

    From https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html

    Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of Tomcat's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.

     

     Share
    Go to entries

    User Feedback

    Recommended Comments

    swood_1

    No.
    Versions of Tomcat after the indicated supported version documented in the Platform Support Guide for your JasperReports Server version have not been tested and certified, and are therefore not officially supported.

    Later point release versions like Tomcat 8.5.51 are likely but not guaranteed to work.

    Link to comment
    Share on other sites
    David_FUNG_CMG

    I would like to enquire whether there is plan and schedule for any existing available JasperReport server, such as version 7.1, 7.2 and 7.5 or other versions, to be certified with Tomcat version 8.5.51 or 9.0.31 or higher, which address the security issue.
    Thank you

    Link to comment
    Share on other sites
    swood_1

    Not for the back versions. You will need to update your existing Tomcat deployment to disable AJP as outlined in this page.

    Jaspersoft regularly updates platform support for every new release, and Tomcat is always on the list.

    Link to comment
    Share on other sites


    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore