Question

CVE-2020-1938 Ghostcat-Apache Tomcat AJP File Read/Inclusion Vulnerability

  • 10 August 2023
  • 5 replies
  • 104 views

Userlevel 1
Badge +5

Hello,

Does the following vulnerability affects the Commvault ? 

Is there a fix for this CVE-2020-1938 Vulnerability ?

 

I couldn't find any information about it in the documentation

 

Best regards,  


5 replies

Userlevel 1
Badge +4

Hello @LiorRN 

 

Thanks for your query.

 

It is safe to disregard CVE-2020-1938 as by default in the server.xml under the apache folder,  we have the line to use the AJP protocol commented out so this vulnerability does not impact Tomcat instances installed by Commvault.

Example in Server.xml:

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

Userlevel 1
Badge +5

Hi,

thanks for the quick response,

Is there a link to the documentation like this documentation like this one? - https://documentation.commvault.com/2022e/essential/146231_security_vulnerability_and_reporting.html

I need to show our security team Commvault documentation  

 

Best regards,

Userlevel 1
Badge +4

Hello @LiorRN 

I couldn’t find the similar documentation, however, I found an internal response from development advising that CVE-2020-1938 does not impact Commvault when running Tomcat as we do not use the AJP protocol.

I have copied the response from development below including an example line of the AJP protocol being commented out.

AJP Request Injection and potential Remote Code Execution dubbed 'Ghostcat' (CVE-2020-1938)

We can disregard CVE-2020-1938 as by default in the server.xml under the apache folder we have the line to use the AJP protocol commented out by default.

 

Please note:
Apache Tomcat Server

The Apache Tomcat Server is automatically installed during the installation of this software if it is not already installed.

Note: Manually upgrading the Apache Tomcat Server is not supported. We always update the Tomcat server with the latest security updates, so that the components using the Tomcat server are free from any vulnerabilities reported by the open-source community.

Userlevel 7
Badge +23

https://kb.commvault.com/article/81342 👈 👍

Userlevel 1
Badge +5

Thanks - its exactly what I needed

 
 

 

 

Reply