Apache Tomcat Ghostcat vulnerability for ControlSuite Equitrac

Information:

Apache Tomcat Ghostcat vulnerability (https://cve.mitre.org/cgi-bin/cvenam...=CVE-2020-1938) has been identified.  The following information can be used for ControlSuite Equitrac to avoid this vulnerability.

ControlSuite Equitrac does not utilize the AJP feature of Apache Tomcat, however the protocol is enabled by default. The recommendation is to disable AJP explicitly.  Edit the <Tomcat>/conf/Server.xml file and comment out the AJP.

Steps to modify Apache Tomcat configuration for ControlSuite Equitrac:

1. Stop the DWS service
2. Navigate to the install folder [by default:  C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\]
3. Edit the Server.XML file
4. Find the line <Connector port = “8009” protocol = “AJP / 1.x” redirectPort = “8443” />
5. Edit the line to comment it out, by changing it to [<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />--> ]
6. Save the Server.XML file
7. Start DWS service

NOTE: The server.xml file located in C:\Program Files\Nuance\Shared Services\DWS\ tomcat\conf is not used.

Links about the vulnerability:

https://www.chaitin.cn/en/ghostcat
https://blog.trendmicro.com/trendlab...vd-2020-10487/

Applies to: