Does CVE-2020-1938 Affect Mart 2020r1?

Question: Does CVE-2020-1938 affect Mart 2020r1?

Answer:

Yes, CVE-2020-1938 does affect Mart. Mart uses Tomcat v9.0.27 and the AJP Port is enabled by default. To address this issue, we recommend taking one of the following actions…

If you do not use IIS as a Web Server:

1. Open \Tomcat64\conf\server.xml
2. Comment out the AJP connector. For example, change…

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

to

<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

3. Restart Mart

If IIS is used as a Webserver, then the AJP Port is required. In this situation we recommend….

1. Open \Tomcat64\conf\server.xml
2. Update the AJP connector to include a required secret…

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

to

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="TOMCAT_IP_ADDRESS" requiredSecret="TOMCAT_AJP_SECRET" />

4. In the Native_IIS folder, update worker.properties to include the required secret create in the previous step. For example:

 worker.<WORKER_NAME>.secret=TOMCAT_AJP_SECRET

For more information on the worker.properties file see: https://erwin.com/bookshelf/public_html/2020R1/Content/Installation/Workgroup%20Edition%20Implementation%20and%20Administration/sample_files.html

5. Restart IIS and then restart Tomcat

For more information on this vulnerability, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938  and reach out at https://support.erwin.com/hc/en-us if you have any questions.