Skip to main content
Question

CVE-2020-1938 Ghostcat-Apache Tomcat AJP File Read/Inclusion Vulnerability


Forum|alt.badge.img+5

Hello,

Does the following vulnerability affects the Commvault ? 

Is there a fix for this CVE-2020-1938 Vulnerability ?

 

I couldn't find any information about it in the documentation

 

Best regards,  

5 replies

Forum|alt.badge.img+4

Hello @LiorRN 

 

Thanks for your query.

 

It is safe to disregard CVE-2020-1938 as by default in the server.xml under the apache folder,  we have the line to use the AJP protocol commented out so this vulnerability does not impact Tomcat instances installed by Commvault.

Example in Server.xml:

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->


Forum|alt.badge.img+5
  • Author
  • Byte
  • 14 replies
  • August 10, 2023

Hi,

thanks for the quick response,

Is there a link to the documentation like this documentation like this one? - https://documentation.commvault.com/2022e/essential/146231_security_vulnerability_and_reporting.html

I need to show our security team Commvault documentation  

 

Best regards,


Forum|alt.badge.img+4

Hello @LiorRN 

I couldn’t find the similar documentation, however, I found an internal response from development advising that CVE-2020-1938 does not impact Commvault when running Tomcat as we do not use the AJP protocol.

I have copied the response from development below including an example line of the AJP protocol being commented out.

AJP Request Injection and potential Remote Code Execution dubbed 'Ghostcat' (CVE-2020-1938)

We can disregard CVE-2020-1938 as by default in the server.xml under the apache folder we have the line to use the AJP protocol commented out by default.

 

Please note:
Apache Tomcat Server

The Apache Tomcat Server is automatically installed during the installation of this software if it is not already installed.

Note: Manually upgrading the Apache Tomcat Server is not supported. We always update the Tomcat server with the latest security updates, so that the components using the Tomcat server are free from any vulnerabilities reported by the open-source community.


Damian Andre
Vaulter
Forum|alt.badge.img+23

Forum|alt.badge.img+5
  • Author
  • Byte
  • 14 replies
  • August 10, 2023

Thanks - its exactly what I needed

 
 

 

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings