-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Nitin,
On 3/7/20 00:02, Nitin Kadam wrote:
> Hello Team,
>
> We received vulnerability alert from Security team for "Apache
> Tomcat AJP File Inclusion Vulnerability (unauthenticated check)"
> and for remediation they suggested to updated tomcat with latest
> version.
>
> Can you please help to resolve same without upgrading the existing
> version i.e tomcat 8.5
1. Are you using the AJP protocol at all?
If not, then you can ignore CVE-2020-1938. Just make sure that all AJP
have been completely removed from your conf/server.xml file
.
2. Are you securing your endpoints against arbitrary connections?
If so, then you can ignore CVE-2020-1938. If you haven't secured your
endpoints, then you were going to be vulnerable to other hi-jinx in
the first place.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muWoACgkQHPApP6U8
pFg4ng/9GeIYmBYiaYvw3qN61eY1xK7qZrVdckf2sdqQjcFdQ+Cuw9nSPsQCvsMl
9gZpx8Cgz55pS197lZn5Fns22GZJMqXqGtjH3JO7fGiysjb3KKbJ8qiLOaRZT+OR
DDocCKC31GJHIql9GiE5wgWlYP6JFaOUmNm4NFYkcWJm0fAZRB/9w0ptsbWkxWYU
UCBjP7Fe825WQ3djr0w21K4jk2Ed8l7eIhALy3XKRt4GMQtWdmlTJnRFhjq2mA0R
slf6KrDwnoXnP/ffvmBJnVhSF8rtFMlncakfqanWZEWntlaxbzWqF1lpBsyKQur3
mFpvA2wpEI5zBFZrEXXDsKv+AQbAZ7ldnD2IrP79J4MaNJNY9G1yfILwWGqZEZFQ
CoKpZi9rmcTX8OKZx+Sl6y+/8ZwlRqh1geNs0fYxrhWyBZSzbdkJmNSSXqndoa2m
KWEz7xc+O0+DXdf4BR1zVHDqI5Mdz31FH84rQQlV6dgIBkr1n8Yn5ivuz6EdJJoM
GfSsfdGIG46Acjh5mznY3sE6s+1rog6JBQEMJy82V/3J2epnRHJRdO3QGxBa6Vlk
02dS/9TpZLnqE8HnILBRUk5fx5nkgpZqdzrdWeSYOFoaI+ZMFTOXyJJTnVvw/HC3
hyX74IoL0uFuiCYqmftQiVRPckXDe5srmYmTBVlUUGl8vgoNK8c=
=HdVx
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
