Apache Tomcat Ghostcat vulnerability (https://cve.mitre.org/cgi-bin/cvenam...=CVE-2020-1938) has been identified. The following information can be used for Equitrac Office and Equitrac Express to avoid this vulnerability.
Equitrac does not utilize the AJP feature of Apache Tomcat, so the protocol can be safely disabled. Edit the <Tomcat>/conf/Server.xml file and comment out the AJP as required.
Steps to modify Apache Tomcat configuration for Equitrac Office / Express:
- Stop the DWS service
- Navigate to the install folder [by default: C:\Users\<service_account>\AppData\Local\Equitrac\Equitrac Platform Component\EQDWSSrv\webserver\conf ] where <service account> is the account running the EQ services.
- Edit the Server.XML file
- Find the line <Connector port = “8009” protocol = “AJP / 1.x” redirectPort = “8443” />
- Edit the line to comment it out, by changing it to [<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> --> ]
- Save the Server.XML file
- Start DWS service
NOTE: The server.xml file located in C:\Program Files\Equitrac\Express\DWS\apache-tomcat\conf is not used.
Links about the vulnerability: