CVE-2020-1938 Tomcat vulnerability
CVE-2020-1938 Tomcat vulnerability
CVE-2020-1938 vulnerability was reported when using Apache JServ Protocol (AJP)
This Impacts Apache Tomcat 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 , Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses.
The campusM connect layer web services package is not expected to be affected by the tomcat upgrade but we would recommend follow the following steps :
- Backup existing tomcat installation, and configuration.
- On Sandbox/ Dev connect layer, upgrade from tomcat 7.x to 7.0.100 or 8.5.x to 8.5.51
- If the customer setup was reliant on an AJP connector to get through to tomcat from an upstream server, e.g. Apache, Load balancer etc, the AJP connector may need to be re-configured in tomcat server.xml, since the upgraded version of tomcat has this connector disabled by default.
- If configuring the tomcat upgrade separately, please ensure that the campusM web service packages (.war files) will need to be copied from webapps folder in the old tomcat installation folder into the new tomcat installation folder.
- Once completed, the customer can carry out a general app sanity test in their sandbox app instance, covering authentication and integrations reliant on the connect layer, e.g. timetable.
Once the functionality has been verified in sandbox, an upgrade of the production tomcat installation can be planned.