CVE-2020-1938 Ghostcat-Apache Tomcat AJP File Read/Inclusion Vulnerability

Hello @LiorRN 

Thanks for your query.

It is safe to disregard CVE-2020-1938 as by default in the server.xml under the apache folder,  we have the line to use the AJP protocol commented out so this vulnerability does not impact Tomcat instances installed by Commvault.

Example in Server.xml:

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

Hello @LiorRN 

I couldn’t find the similar documentation, however, I found an internal response from development advising that CVE-2020-1938 does not impact Commvault when running Tomcat as we do not use the AJP protocol.

I have copied the response from development below including an example line of the AJP protocol being commented out.

AJP Request Injection and potential Remote Code Execution dubbed 'Ghostcat' (CVE-2020-1938)

We can disregard CVE-2020-1938 as by default in the server.xml under the apache folder we have the line to use the AJP protocol commented out by default.

Please note:
Apache Tomcat Server

The Apache Tomcat Server is automatically installed during the installation of this software if it is not already installed.

Note: Manually upgrading the Apache Tomcat Server is not supported. We always update the Tomcat server with the latest security updates, so that the components using the Tomcat server are free from any vulnerabilities reported by the open-source community.

Thanks - its exactly what I needed