Skip to main content
Kofax

Pen Testing shows DWS has vulnerabilities for Apache Tomcat

3023921

Information: 

Pen Testing shows vulnerabilities for the Device Web Server (DWS) component of Equitrac in versions 5 and 6.

Device Web Service is installed and implemented using Apache Tomcat 7 as a web server to allow communication between web-based Multi Function Printers (MFP's) and the Equitrac Device Control Engine (DCE). The method in which it is designed means that Apache vulnerabilities are secured against from the moment of install.  This is to ensure there are no security risks in using this component.

There are several common vulnerabilities and exposures (CVD’s) in Apache Tomcat 7 listed in the US governments National Vulnerability Database (NVD) and mentioned in most security penetration tests worldwide.  It is important to note that most tests mention vulnerabilities in software even if they are already remedied on the server.

The three CVD’s scoring the highest in PEN tests are listed below:

CVE-2020-1935 (https://nvd.nist.gov/vuln/detail/CVE-2020-1935)

CVE-2020-1938 (https://nvd.nist.gov/vuln/detail/CVE-2020-1938)

CVE-2019-0232 (https://nvd.nist.gov/vuln/detail/CVE-2020-0232)

Along with the NVD advice in the links above, here are the steps that Kofax has taken to mitigate these threats:

CVE-2020-1935

In Apache Tomcat, the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid.  This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely and we have no known instances of this at any of our customers.

CVE-2020-1938

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.  This step is mitigated by disabling AJP.  DWS does not use AJP and it is disabled by default.  Customers concerned with this threat can check and verify it is disabled in the sever.xml simply and easily.

See knowledgebase article: Apache Tomcat Ghostcat vulnerability for Equitrac Office / Express 5.x

CVE-2019-0232

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.  In our implementation of DWS, CGI is disabled by default and we never enable it.

Summary

If you require Tomcat v9 in Equitrac v5.7, customers concerned with the approaching end of life of Tomcat 7 (31 March 2021) can request a special release of DWS that incorporates Tomcat version 9 see How to Upgrade Equitrac Office/Express 5.7 to a version of Device Web Server (DWS) using Apache Tomcat 9 - Kofax

There are no plans to backport Tomcat 9 to ControlSuite 1.0 OR 1.1 on previous fixpacks, so please upgrade to ControlSuite 1.2 if you are on earlier fixpacks.

Kofax updates each case on a ticket by ticket basis to advise on individual concerns, often supplying links to external resources and the Kofax Knowledge Base. We do not provide official statements or letters.

Applies to:  

Product Version
Equitrac Office 5.x
Equitrac Express 5.x