AccuRev Web Server response to CVE-2020-1938

0 Likes

ISSUE:

By default, Apache Tomcat ships with the AJP connector listening in TCP port 8009 on all IP addresses.  An exploit has been identified where an attacker could exploit the AJP Protocol to read web application files from the web server.  More details can be found here: https://nvd.nist.gov/vuln/detail/CVE-2020-1938

HOW TO STEPS:

The AccuRev Web Server does not require the AJP protocol to be enabled.  To mitigate this issue you can modify the <AccuRev Install>/WebUI/tomcat/conf/server.xml to comment out the AJP Connector as follows:

<!--  <Connector port=”8009” protocol="AJP/1.3" redirectPort="8443" /> -->

After saving this change to your server.xml you must stop and then restart the tomcat server for the change to take effect.

Comment List
Anonymous
Related Discussions
Recommended