Articles in this section

See more

Does CVE-2020-1938 Affect Mart 2020r1?

Avatar
Tom Wyszomierski
Updated
Follow

 

 

Question: Does CVE-2020-1938 affect Mart 2020r1?

 

Answer:

Yes, CVE-2020-1938 does affect Mart. Mart uses Tomcat v9.0.27 and the AJP Port is enabled by default. To address this issue, we recommend taking one of the following actions…

If you do not use IIS as a Web Server:

  1. Open \Tomcat64\conf\server.xml
  2. Comment out the AJP connector. For example, change…

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

to

<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

  1. Restart Mart

 

If IIS is used as a Webserver, then the AJP Port is required. In this situation we recommend….

  1. Open \Tomcat64\conf\server.xml
  2. Update the AJP connector to include a required secret…

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

to

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="TOMCAT_IP_ADDRESS" requiredSecret="TOMCAT_AJP_SECRET" />

  1. In the Native_IIS folder, update worker.properties to include the required secret create in the previous step. For example:

 worker.<WORKER_NAME>.secret=TOMCAT_AJP_SECRET

For more information on the worker.properties file see: https://erwin.com/bookshelf/public_html/2020R1/Content/Installation/Workgroup%20Edition%20Implementation%20and%20Administration/sample_files.html

  1. Restart IIS and then restart Tomcat

 

For more information on this vulnerability, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938  and reach out at https://support.erwin.com/hc/en-us if you have any questions.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk