Hello,
Does the following vulnerability affects the Commvault ?
Is there a fix for this CVE-2020-1938 Vulnerability ?
I couldn't find any information about it in the documentation
Best regards,
Hello,
Does the following vulnerability affects the Commvault ?
Is there a fix for this CVE-2020-1938 Vulnerability ?
I couldn't find any information about it in the documentation
Best regards,
Hello
Thanks for your query.
It is safe to disregard CVE-2020-1938 as by default in the server.xml under the apache folder, we have the line to use the AJP protocol commented out so this vulnerability does not impact Tomcat instances installed by Commvault.
Example in Server.xml:
<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->
Hi,
thanks for the quick response,
Is there a link to the documentation like this documentation like this one? - https://documentation.commvault.com/2022e/essential/146231_security_vulnerability_and_reporting.html
I need to show our security team Commvault documentation
Best regards,
Hello
I couldn’t find the similar documentation, however, I found an internal response from development advising that CVE-2020-1938 does not impact Commvault when running Tomcat as we do not use the AJP protocol.
I have copied the response from development below including an example line of the AJP protocol being commented out.
AJP Request Injection and potential Remote Code Execution dubbed 'Ghostcat' (CVE-2020-1938)
We can disregard CVE-2020-1938 as by default in the server.xml under the apache folder we have the line to use the AJP protocol commented out by default.
Please note:
Apache Tomcat Server
The Apache Tomcat Server is automatically installed during the installation of this software if it is not already installed.
Note: Manually upgrading the Apache Tomcat Server is not supported. We always update the Tomcat server with the latest security updates, so that the components using the Tomcat server are free from any vulnerabilities reported by the open-source community.
Thanks - its exactly what I needed
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.