How to secure Tomcat against CVE-2020-1938
Issue
- Tomcat (9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99) ships with an AJP Connector enabled by default that can be exploited by an attacker.
Environment
- Red Hat Enterprise Linux
- 5.x ELS
- 6.x
- 7.x
- 8.x (as
pki-servlet-container
,pki-servlet-engine
inpki-deps
module)
- Tomcat
- 7.0.0 to 7.0.99 with AJP Connector enabled
- 8.5.0 to 8.5.50 with AJP Connector enabled
- 9.0.0.M1 to 9.0.0.30 with AJP Connector enabled
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.