Security Advisory - Apache Tomcat vulnerability (CVE-2020-1938) Updated - March 17, 2020

Overview

On February 27, 2020, Apache Software Foundation released information regarding a vulnerability (CVE-2020-1938) in Apache Tomcat JServ Protocol (AJP). Exploiting this vulnerability could allow a remote attacker to steal information or execute arbitrary code if the web application allows file upload and stores files.

References

Impact

High

Affected Systems

Ex Libris products that are affected: Research Professional, 360 Services, campusM and Voyager.

Test and Certifications

The mitigation for this vulnerability has been developed, tested and certified for Ex Libris products.

Actions Taken for Cloud Systems

Ex Libris has already deployed the fix to all cloud environments and no action is required by the customer.

Actions Taken for Local /On Premise

Voyager: See CVE-2020-1938 for Voyager customers

campusM: See CVE-2020-1936 for campusM customers

Exploitation and Public Announcements

The Ex Libris Security Incident Response Team (SIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Record of Changes

Type of information	Document Data
Document Title:	Security Advisory - Apache Tomcat vulnerability (CVE-2020-1938) Updated - March 17, 2020
Document Owner:	Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)
Approved by:	Barak Rozenblat – VP Cloud Services
Issued:	March 17, 2020
Reviewed & Revised:	March 17, 2020

Revision Control

Version Number	Nature of Change	Date Approved
1.0	Initial version	March 17, 2020

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver