How does the GhostCat vulnerability in Apache Tomcat affect Enterprise Analyzer?

0 Likes

Environment

Versions affected: Installs prior to version 6
Platforms affected: Windows
 

Problem

As Enterprise Analyzer (EA) uses Apache Tomcat as the web server for the Enterprise Analyzer Web client product, what is the effect of the GhostCat vulnerability?
 

Resolution

It was brought to our attention that the Apache Tomcat Web server has a security hole in it that has been named as GhostCat.
Information on GhostCat
The impact of GhostCat is as follows:
This vulnerability could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code or execute arbitrary code if the server allows file upload.
The versions of Tomcat affected are:
Tomcat versions lower than 9.0.31, 8.5.51 or 7.0.100.
Impact on EA:

  • No direct impact to EA, but Tomcat Apache is shipped with EA.
  • With versions of EA prior to the 6.0.0 release the version of Apache Tomcat shipped was prior to the 9.0.31 version, so those versions are affected by the GhostCat vulnerability.
  • From EA 6.0.0 and onwards the 9.0.33 version of Tomcat is now shipped with EA.
  • When installing EA, EA checks to see if Tomcat is already installed. If it is found, then EA does not install the version supplied with EA. This means that if an old version of Tomcat is on the machine EA will leave it unchanged.

Recommendations

  • Check the version of Tomcat that is installed on the machine.
  • If it is an affected version, then upgrade to a newer version.


Reference Material for Tomcat and GhostCat
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31

Full article: https://portal.microfocus.com/s/article/KM000002613 


Heather Caldwell
Micro Focus Community Manager
If you find this post useful, give it a ‘Like’ or use ‘Verify Answer’

Labels:

Support Tip
Comment List
Anonymous
Related Discussions
Recommended