Issued: 4th March 2020
This bulletin addresses a recent vulnerability discovered in the Apache JServ Protocol (AJP) that effects Contrast Security’s Enterprise on Premise TeamServer.
What’s the impact?
Apache versions 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 are vulnerable to a newly published CVE. Details of which can be found at the following link: CVE-2020-1938.
Am I affected?
Customers are vulnerable if all of the following conditions are met:
- Contrast Enterprise on Premise is on version 3.7.0.709 or lesser
- AJP has not been disabled
- The port on which AJP is running is open to the internet
The AJP configuration can be found in the Enterprise on Premise installation directory, under $CONTRAST_HOME/data/conf/server.properties.
How can I resolve the issue?
1. Contrast has released version 3.7.1 of Enterprise on Premise which includes version 9.0.31 of Tomcat which is not susceptible to these vulnerabilities. As such, we recommend upgrading as soon as possible.
2. Alternatively, if you’re unable to upgrade at this time and you’re not using AJP, you can disable the AJP connector through the steps outlined in the following knowledge article: How to disable AJP for Enterprise on Premise
If you have any questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us via the link below or at support@contrastsecurity.com.