Security Advisory - Apache Tomcat vulnerability (CVE-2020-1938) Updated - March 17, 2020
Overview
On February 27, 2020, Apache Software Foundation released information regarding a vulnerability (CVE-2020-1938) in Apache Tomcat JServ Protocol (AJP). Exploiting this vulnerability could allow a remote attacker to steal information or execute arbitrary code if the web application allows file upload and stores files.
References
- https://tomcat.apache.org/security-8.html#Apache_Tomcat_8.x_vulnerabilities
- https://nvd.nist.gov/vuln/detail/CVE-2020-1938
- https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html?m=1
- https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
Impact
High
Affected Systems
Ex Libris products that are affected: Research Professional, 360 Services, campusM and Voyager.
Test and Certifications
The mitigation for this vulnerability has been developed, tested and certified for Ex Libris products.
Actions Taken for Cloud Systems
Ex Libris has already deployed the fix to all cloud environments and no action is required by the customer.
Actions Taken for Local /On Premise
Voyager: See CVE-2020-1938 for Voyager customers
campusM: See CVE-2020-1936 for campusM customers
Exploitation and Public Announcements
The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.