A recent vulnerability in Tomcat’s Apache JServ Protocol (AJP) Connector (CVE-2020-1938) has raised concern among some Pentaho customers that they may be exposed to a security risk, specifically because of the vulnerability’s potential use for remote code execution.
After careful review, Pentaho recommends that an upgrade to Tomcat 8.5.51 is necessary if AJP connectors are enabled.
The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers.
Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they may be exploited in ways that may represent a risk.
In Apache Tomcat 9.0.0.M1 to 126.96.36.199, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, the AJP Connector is enabled by default, meaning it can listen on all configured IP addresses.
We recommend that AJP Connectors be manually disabled unless you require them.
- If AJP Connectors are disabled or the AJP ports are not accessible to untrusted users, you are not exposed to this vulnerability.
- If they are enabled and exposed, we recommend you upgrade to the latest Pentaho Service Pack where this vulnerability is addressed:
Figure 1: Your Current Pentaho Version and Recommended Action
- If you are currently unable to upgrade to these Pentaho versions, the only way to defend against this vulnerability and block the vector that permits returning arbitrary files and execution as JSP is to upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. However, this configuration is at your own risk, as it may not have been fully certified against your current Pentaho version.
If you have any questions, please visit Pentaho’s Support Portal and submit a ticket referencing this article.