See the vulnerability description here: CVE-2020-1938.
Apache Tomcat installed using ERA 6.5 and ESMC 7.0 All-in-one installer contain the secure Tomcat configuration, the update is optional.
The affected Apache Tomcat versions are:
In the affected versions, the Apache Tomcat treats AJP connections as having higher trust than other connections. ESET Security Management Center and ESET Remote Administrator are not using the AJP connector.
There are three possible solutions to this issue. You need to apply only one of them:
Use the ESMC 220.127.116.11 all-in-one installer for Windows to upgrade your Apache Tomcat to version 9.0.33. See this Knowledgebase article with detailed steps.
Block the Apache JServ Protocol (AJP) port 8009 for incoming connections on your firewall:
Windows Server usually blocks the port by default, but you can create a new explicit rule to block the port. If you manage your firewall with a security product, use the product to create a rule to block inbound connections on port 8009.
You can check if the port is open by using the following command:
netstat -ano | findstr 8009
Make sure to block the port 8009 using your security product or via Linux utility iptables.
If you use iptables, run following command as superuser:
iptables -A INPUT -j DROP --destination-port 8009
You can check if the port is open using the following command:
ss -a | grep 8009
No action is required. The firewall on the Appliance is pre-set to block all connections not related to ESET products.
Disable the AJP connector in the Tomcat configuration. Use this solution if you need to continue using port 8009.
C:\Program Files\Apache Software Foundation\[ Tomcat folder ]\conf\server.xml
|Debian and Ubuntu distributions||
|CentOS, Red Hat and Fedora distributions||
|Linux with systemd||