-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nitin,
On 3/7/20 00:02, Nitin Kadam wrote: > Hello Team, > > We received vulnerability alert from Security team for "Apache > Tomcat AJP File Inclusion Vulnerability (unauthenticated check)" > and for remediation they suggested to updated tomcat with latest > version. > > Can you please help to resolve same without upgrading the existing > version i.e tomcat 8.5 1. Are you using the AJP protocol at all? If not, then you can ignore CVE-2020-1938. Just make sure that all AJP <Connectors> have been completely removed from your conf/server.xml file . 2. Are you securing your endpoints against arbitrary connections? If so, then you can ignore CVE-2020-1938. If you haven't secured your endpoints, then you were going to be vulnerable to other hi-jinx in the first place. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5muWoACgkQHPApP6U8 pFg4ng/9GeIYmBYiaYvw3qN61eY1xK7qZrVdckf2sdqQjcFdQ+Cuw9nSPsQCvsMl 9gZpx8Cgz55pS197lZn5Fns22GZJMqXqGtjH3JO7fGiysjb3KKbJ8qiLOaRZT+OR DDocCKC31GJHIql9GiE5wgWlYP6JFaOUmNm4NFYkcWJm0fAZRB/9w0ptsbWkxWYU UCBjP7Fe825WQ3djr0w21K4jk2Ed8l7eIhALy3XKRt4GMQtWdmlTJnRFhjq2mA0R slf6KrDwnoXnP/ffvmBJnVhSF8rtFMlncakfqanWZEWntlaxbzWqF1lpBsyKQur3 mFpvA2wpEI5zBFZrEXXDsKv+AQbAZ7ldnD2IrP79J4MaNJNY9G1yfILwWGqZEZFQ CoKpZi9rmcTX8OKZx+Sl6y+/8ZwlRqh1geNs0fYxrhWyBZSzbdkJmNSSXqndoa2m KWEz7xc+O0+DXdf4BR1zVHDqI5Mdz31FH84rQQlV6dgIBkr1n8Yn5ivuz6EdJJoM GfSsfdGIG46Acjh5mznY3sE6s+1rog6JBQEMJy82V/3J2epnRHJRdO3QGxBa6Vlk 02dS/9TpZLnqE8HnILBRUk5fx5nkgpZqdzrdWeSYOFoaI+ZMFTOXyJJTnVvw/HC3 hyX74IoL0uFuiCYqmftQiVRPckXDe5srmYmTBVlUUGl8vgoNK8c= =HdVx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
