Skip to main content
ExLibris
  • Subscribe by RSS
    • Back
    Voyager
    Ex Libris Knowledge Center

    Addressing CVE-2020-1938 Tomcat vulnerability for Voyager Environments

    1. Last updated
    2. Save as PDF
    • Product: Voyager   
    • Product Version: All
    • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare

    CVE-2020-1938 vulnerability was reported when using Apache JServ Protocol (AJP)

    This Impacts Apache Tomcat 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 , Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses.

    This issue can be addressed in Voyager by downloading and running the patch kit on the voyager server.

    This procedure requires:

    • Access to the exlibirs FTP server at downloads.exlibrisgroup.com
    • Access to the root user on your system.
    • Basic understanding of the linux command line.

    If uncomfortable with or unable to run the following commands please open a case to Voyager support:

    Installing Patch for CVE-2020-1938 in Voyager Environments
    1. Log on to the server as root.
    2. Run the following commands:
    mkdir -p /m1/incoming/patch

cd /m1/incoming/patch

ftp downloads.exlibrisgroup.com

voyager / LVf_,7lF

cd patch

mget *

exit

bzip2 -dc vik4.patch.tar.bz2 | tar -xvf -
    1. Launch the Voyager patch kit with these commands:
    cd vik4
./ikit_menu
    1. Run menu 1 steps 1 through 5, 7, 8 and 10 to download the latest 3rd party packages for Voyager, including the new Tomcat
    2. Run menu 2 steps 1 through 5 and 16 and 17. These will stop Apache and Voyager, install the latest versions of your 3rd party packages and then re-start Apache and Voyager.

     

    • Article last edited: 3/16/2020